Despite the benefits of cloud computing, its potential customers are concerned with data mismanagement risks that stem from the accidental or intentional activity of cloud software administrators. Although trusted computing could provide customers with stronger guarantees that cloud services are more resilient to these threats, this technology is ill-suited for the cloud since it exposes too many internal details of the cloud infrastructure, and hinders fault tolerance and load-balancing flexibility. To solve these limitations and enable the design of trustworthy cloud services, we present a system called Excalibur. Excalibur provides policy-sealed data, a new trusted computing primitive which enables data to be sealed (i.e., encrypted to a customer-defined policy) such that it can only be unsealed (i.e., decrypted) by nodes whose configurations match the policy; the configuration of nodes is bound to trusted computing hardware, making the primitive resilient to the actions of cloud administrators. Excalibur uses novel cryptographic protocols, and makes judicious use of existing trusted computing primitives. To demonstrate that Excalibur is practical, we used it in the Eucalyptus open-source cloud platform in order to provide customers with greater confidence that data is processed exclusively by the nodes that meet their preferences.