If you are using restricted decrypt permission, you can assign the privileges for creating the task’s schema and managing keys as follows:
System security officer – configures restricted decrypt permission, creates encryption keys and grants select permission on keys to the DBO, and grants decrypt permission to the end user.
DBO – creates the schema and loads data.
