Comparing Machine-Level and User-Level RSA Key Containers
User-level RSA key containers are stored with the Windows user profile for a particular user and can be used to encrypt and decrypt information for applications that run under that specific user identity. User-level RSA key containers can be useful if you want to ensure that the RSA key information is removed when the Windows user profile is removed. However, because you must be logged in with the specific user account that will make use of the user-level RSA key container in order to encrypt or decrypt protected configuration sections, they are inconvenient to use.
Machine-level RSA key containers are available to all users that can log in to a computer, by default, and are the most useful as you can use them to encrypt or decrypt protected configuration sections while logged in with an administrator account. A machine-level RSA key container can be used to protect information for a single application, all the applications on a server, or a group of applications on a server that run under the same user identity. Although machine-level RSA key containers are available to all users, they can be secured with NTFS Access Control Lists (ACLs) so that only required users can access them.
It is recommended that you only secure sensitive information using protected configuration on file systems formatted using NTFS, so that you can restrict access to encryption key information using ACLs.
As there is little benefit from using user-level RSA key containers, it is recommended that you use machine-level RSA key containers when protecting configuration sections using the
Identifying Machine-Level and User-Level RSA Key Containers for the Aspnet_regiis.exe Tool
When creating, exporting, importing, or deleting an RSA key container using the Aspnet_regiis.exe tool, you must specify whether the RSA key container is a machine-level key container or a user-level key container. You identify an RSA key container as a user-level key container with the -pku option; otherwise, the RSA key container is considered a machine-level container.