All created backups and snapshots are stored on Amazon Glacier, and before they are sent they are encrypted.
As far as your private keys go, what kind of keys are you talking about? SSH or GPG keys? Remember that no matter how well encrypted a backup might be, your server itself is still the main point of attack. If need to SSH from one server to another, you should create a new key pair for each machine. That makes it simpler to revoke one later if it is compromised while still having access with the key pair from your local machine. If you need to do GPG signing on the server, create a subkey for that. Again it will allow you to revoke it if it becomes compromised.