have you tried to do aspnet_regiis -pa to grant access to the key?

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Hi Chuck,

From your description, you're encountering some problems about encypting
web.config via exportable RSA provider, correct?

According to the RSA encryption reference, I've performed some local tests,
the normal process of encrypting web.config section via RSA provider and
move to other machine is as below:

======================
Step 1

Create a machine-level RSA key container:
aspnet_regiis -pc "MyTestKeys" -exp

Step 2

Grant Read Access to the RSA Encryption Key:

aspnet_regiis -pa "MyTestKeys" "NT AUTHORITY\NETWORK SERVICE"

Step 3

Encrypt the config file:
aspnet_regiis -pef "connectionStrings" "physical path of the web site
folder"  -prov MyRSAProvider

export the container and import it back to other machine using the
following steps

Step 4

Export the machine-level RSA key container:
aspnet_regiis -px "MyTestKeys" "c:\Config-Key.xml" -pri

Step 5

Copy Config-Key.xml to c:\ on 2nd server

Step 6

Import the the machine-level RSA key container on the 2nd server:
aspnet_regiis -pi "MyTestKeys" "c:\Config-Key.xml"

Step 7

Grant Read Access to the RSA Encryption Key:
aspnet_regiis -pa "MyTestKeys" "NT AUTHORITY\NETWORK SERVICE"

Step 8

Copy encrypted web.config to 2nd server

========================

Based on the steps you mentioned, I think most of the process you've
followed should be correct. So far I'd like to suggest you check the
following things:

1.  Check your custom RSA provider setting to see whether it is correctly
copied to target machine also and set to use Machine container

========encrypt config section=======
<configProtectedData>
   <providers>
     <add keyContainerName="MyTestKeys"
              useMachineContainer="true"
              description="Uses RsaCryptoServiceProvider to encrypt and
decrypt"
              name="MyRSAProvider"
         
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configur
ation, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
   </providers>
 </configProtectedData>
=======================

2. AS in the above steps, after you create RSA key container, you need to
use "aspnet_regiis -pa" to make sure that the certain account(which will
run your ASP.NET application) has the sufficient access permission to the
key container.  Generally, when you use VS 2008/VS 2005 test server to run
ASP.NET application, you're using the logon user(which is probably the
admin), however, if you run the ASP.NET in IIS (or after move to other
server which is using another different process account), you need to make
sure the certain process account have been granted the permission.

You can check them to see whether the problem is due to some of them.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------