Hey Joel. Rather late reply here, but…
By default, artifacts uploaded to your own S3 bucket aren’t encrypted in any way.
You can set BUILDKITE_S3_SSE_ENABLED=true in the agent environment to enable S3 Server Side Encryption (SSE-S3) using AES256 and Amazon-managed keys. However the agent does not currently support KMS customer-managed keys (SSE-KMS) nor S3 Client Side Encryption.
Alternatively, you can of course encrypt your file(s) before uploading them as artifacts.