The key owner must grant select permission on the key before another user can specify the key in the create table, alter table, and select into statements. For the database default key, the owner is the System Security Officer. Key owners should grant select permission on keys only on an “as needed” basis.
The following example allows users with db_admin_role to use the encryption key “safe_key” when specifying encryption on create table, alter table, and select into statements:
grant select on safe_key to db_admin_role
Users who process encrypted columns through insert, update, delete,
and select do not need select permission
on the encryption key.
