Scenario: We have our dedicated servers hosted with a hosting provider. They are running web apps, console apps along with the database which is Sql Server Express edition

The applications encrypt/decrypt the data to/from the DB. We also store the keys in their server. So theoretically, the hosting provider can access our keys and decrypt our data

Question: How we can prevent the hosting providers to access our data?
 None We don't want hosting provider's users to just log into Sql Server and see the data

 None We don't want an un-encrypted copy of database files in the box

To mitigate no. 1: Encrypting app.configs to not store plain text DB username and password

To mitigate no. 2: Turn on EFS on Sql Server data folder. We could use TDE but the Sql Server is Web Edition version and the hosting company is going to charge us a fortune to use Enterprise Edition

I'd really appreciate if you guys have any suggestions about above.