You can use hardware security modules in datacenter space you physically control to store the private keys used to encrypt your data at "CloudCo". Amazon even offers this service and calls it Cloud HSM.
There's always the in-memory vulnerability, which is harder to mitigate, but requires an attacker with physical access to the hypervisor, so it's much more difficult to execute (as most meat-space hacks are).
There's always the in-memory vulnerability, which is harder to mitigate, but requires an attacker with physical access to the hypervisor, so it's much more difficult to execute (as most meat-space hacks are).