Understand how grant all works.
grant all without an object name in a database does not grant create encryption key. grant all without an object name is only supported when granular permissions is disabled.
When used without object names, grant all assigns these permissions: create database, create default, create procedure, create rule, create table, create function, and create view . create database permission can be granted only by a system administrator and only from within the master database.
Only the database owner and a system administrator can use the grant all syntax without an object name to grant create command permissions to users or groups. When the grant all command is used by the database owner, an informational message is printed, stating that only a system administrator can grant create database permission. All other permissions noted above are granted.
All object owners can use grant all with an object name to grant permissions on their own objects. When used with a table or view name plus user or group names, grant all enables delete, delete statistics, insert, select, truncate table, update, and update statistics permissions on the table.