Only users that are assigned the Cryptographic Operations privileges can perform cryptographic operations. The privilege set is fine grained. The default Administrator system role includes all Cryptographic Operations privileges.
The No Cryptography Administrator role supports all Administrator privileges except for the Cryptographic Operations privileges. In addition to using the Cryptographer.* privileges, vSphere Native Key Provider can use the Cryptographer.ReadKeyServersInfo privilege, which is specific to vSphere Native Key Providers. See Cryptographic Operations Privileges for more information.
Additional custom roles can be created, for example, to allow a group of users to encrypt VMs but to prevent them from decrypting VMs.