Yes CloudEndure can encrypt EBS volumes in both the staging area and subsequently the production EBS volumes launched in the target VPC.
The volumes are encrypted using the KMS keys available within, and those shared to, the account. The encryption key is a project level setting can be selected under Setup & Info / Replication Settings.
Through the IAM Policy, CloudEndure has access to KMS id of the key which allows access to use the key to encrypt the data. CloudEndure does not have access to the key itself, only to the Key ID. For additional information on how IAM policies and KMS keys, please review this AWS Documentation.
For details on KMS policies, review this AWS Documentation.