The System Security Officer can revoke permission from other users, groups, and roles to create encryption keys.
revoke create encryption key from user | role | group
