The key owner must grant select permission on the key before another user can specify the key in the create table, alter table, and select into statements. The key owner can be the system security officer, the key custodian or, for nondefault keys, any user with create encryption key permission. Key owners should grant select permission on keys as needed.
The following example allows users with db_admin_role to use the encryption key that is named “safe_key” when specifying encryption on create table, alter table, and select into statements:
grant select on safe_key to db_admin_role
Users who process encrypted columns through insert, update, delete, and select do not need select permission on the encryption key.