The only way to do this is to have the server only operate on encrypted data to begin with. Any scheme where the server can read the unencrypted data by itself can be subverted.

As with DRM, it is impractical to store both a lock and its key in the same place and expect it to be secure.