The user keys are stored in:
%APPDATA%\Microsoft\Crypto\RSA
Machine keys are in:
%ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys
You need to grant access to the user that runs the app:
aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORK SERVICE"
If you don't run as "NETWORK SERVICE" (Running iis express in VS will run as the local user) use:
aspnet_regiis -pa "NetFrameworkConfigurationKey" "247MS\tlc"
Result:
Microsoft (R) ASP.NET RegIIS version 4.0.30319.17929
Administration utility to install and uninstall ASP.NET on the local machine.
Copyright (C) Microsoft Corporation. All rights reserved.
Adding ACL for access to the RSA Key container...
Succeeded!
You need to export the key-pair and later import it on the host that need access to the config:
aspnet_regiis -px "NetFrameworkConfigurationKey" rsa-keypair.xml -pri
Result:
Microsoft (R) ASP.NET RegIIS version 4.0.30319.17929
Administration utility to install and uninstall ASP.NET on the local machine.
Copyright (C) Microsoft Corporation. All rights reserved.
Exporting RSA Keys to file...
Succeeded!
This command will encrypt and change the web.config (so remember to commit before you run it just in case)
aspnet_regiis -pef "connectionStrings" "D:\E247\experimental\RSA\RSA.Web"
Result:
Microsoft (R) ASP.NET RegIIS version 4.0.30319.17929
Administration utility to install and uninstall ASP.NET on the local machine.
Copyright (C) Microsoft Corporation. All rights reserved.
Encrypting configuration section...
Succeeded!
The key pair must be imported on the host that need to read the encrypted config section:
aspnet_regiis -pi "NetFrameworkConfigurationKey" "D:\E247\experimental\RSA\rsa-keypair.xml"
Result:
Importing RSA Keys from file..
Succeeded!