To generate, destroy, export, import, and upload tenant secrets and customer-supplied key material user permission for Manage Encryption Keys is needed.
To edit, upload, and download HSM-protected certificates with the Shield Platform Encryption Bring Your Own Key service the following user permissions are needed:
Manage Encryption Keys, Manage Certificates and Customize Application.