The SSO grants permission to create encryption keys. Only the SSO and the key custodian have implicit permission to create encryption keys.
The syntax is:
grant create encryption key to user | role| group
grant all in a database does not
grant create encryption key permission.
