How can I prevent a user from copying files to another hard drive?
You can disable USB storage on Linux by blacklisting the module.
modprobe -r usb-storage
echo blacklist usb-storage >> /etc/modprobe.d/10-usbstorage-blacklist.conf
echo blacklist uas >> /etc/modprobe.d/10-usbstorage-blacklist.conf
If your users have physical access to the machine, and knows the encryption keys, the game is up no matter what you do software-wise.
My suggestion would be to limit the access to physical interfaces of the machine. Lock it inside a box, and only let users interact via a keyboard, mouse and screen.
You should also note that you can't stop a user from copying something. Worst case? Take up the phone, and take pictures of the screen as they sift trough the files. Data loss prevention should in my opinion be targeted at stopping accidental copying to untrusted devices.
Client-server architecture
This is another approach that could make copying files much harder, but it requires investing more effort from your side.
Access to the information could be setup on a client-server architecture basis with information being stored in a database (such as MySQL or PostgreSQL) on a remote server in a secure location.
Then, provide access stations which would run a client application that retrieves information from the server and displays it to users.
So, instead of letting users access the information directly, you feed it to them.
You can make it harder for users to copy the data by limiting capabilities of the desktop environment, disabling USB ports, etc. Also, your app could display the information as an image as opposed to text, but this depends on whether or not this is appropriate from usability aspect.
But all this assumes that the only hosts that can access the database are locked-down client stations that you provide for users and that they are in a controlled environment so that they can not tamper with access stations or plug their own devices to the network.
Whether or not this is a good approach for your use case depends on your threat model, and how much effort you are ready to invest into this.
In addition to blocking USB (see other answers above):
Disable networking, because...
- ... otherwise user will use remote access to your machine, e.g. via scp or ftp, and copy files from your machine.
- ... otherwise logged in users will be able to transfer file via net from your machine to some other machine via scp, ftp, samba, http.