First of all, congratulations. I'd always wanted to check out encryption and that article made my day! 🙂
I know a little bit (a dangerous thing, I know!) about execute as, especially the joy of switching context across databases, but I digress... Anyway, just curious about your reasons for using impersonation (in the context of your example).
>By using the "execute as" I am better able to control which users have access to the encrypted data
If I follow your example correctly, anyone with execute rights on getDecryptionwithExecute gets the EncryptionUser permissions and hence full access to the decrypted data...
I would have thought that the approach might be something like:
Grant execute to getDecryption to EncryptionUser
Deny execute on object::getDecryption to [MyUsers]
then after that the only way to access the encrypted data would be to impersonate EncryptionUser
execute as EncryptionUser
exec getDecryption
revert