Server side encryption (SSE) for stored files is supported and can be enabled by default for all uploads in the S3 preferences or for individual files in the File → Info (⌘-I) → S3. AWS handles key management and key protection for you. Cyberduck previously supported server-side encryption using SSE-S3 where files are encrypted with a default key managed by S3 using AES-256.
Cyberduck 5.0 and later now supports the use of private keys used for servers-side encryption of files uploaded to S3 managed in AWS Key Management Service (KMS). The dropdown list in the Info panel allows to choose from all private keys managed in AWS Key Management Service (KMS). This requires the kms:ListKeys and kms:ListKeys permission for the AWS credentials used to connect to S3.
You can give it a try in the latest snapshot build.