The key administrator must decide where keys are stored, when they should be renewed, and
which owners can use a given key to encrypt data.
Grant Access to Keys
The key owner or a user with the sso_role must grant select permission on a key before another user can specify the key in the create table, alter table, and select into statements.
Separate Keys from Data
When you specify a data for encryption, you can use a named key from the same database or from a different database. Encrypting with a key from a different database provides a security advantage because, in the event of the theft of a database dump, it protects against access to both keys and encrypted data.