Encrypting connection string - allowing other machines to decrypt

Question

I'm trying to develop a C# Winform application, which connects to SQL database.

My configuration file looks as follows:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<configSections>
</configSections>
<connectionStrings>
<add name="myConnNameString"
providerName="System.Data.SqlClient"
connectionString="Data Source=myServerName;Initial 
Catalog=myDefDatabase;User=myUser;Password=myPassword;Application Name=myAppName" />
</connectionStrings>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
</startup>
</configuration>

I was able to succesfully encrypt this file via:

aspnet_regiis.exe -pef "connectionStrings" path_to_config_file

But once I did that I can't run my application normally anymore. Now I can do this only by running it as an Administrator

Cannot decrypt with provider RsaProtectedConfigurationProvider.
Cannot open key container RSA

Now as far as I understand this: https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff650304(v=pandp.10)

I have created a RSA with Machine Level Container so only a machine which encrypted a file can decrypt it, a no other machines can do it.

How can I let other machines decrypt this file aswell? My application is stored in a single directory on a remote network drive, to which everyone has access to. The application is run on their computers via shortcut.

Thank you in advance!

EDIT: It is also worth to mention that, not every person in our company has a local admininistator permission.

Answer 1

Ok so this what I've accomplished so far:

Created exportable RSA machine-level key container

aspnet_regiis -pc "MyKeys" -exp

Now I'm granting read access to that conatiner to a NT AUTHORITY\NETWORK SERVICE account(whatever it is)

aspnet_regiis -pa "MyKeys" "NT AUTHORITY\NETWORK SERVICE"

Then I encrypted my configuration file with my custom provider

aspnet_regiis -pef "connectionStrings" "path_to_config_file" - 
prov "myCustomProvider"

The configuration file looks a follows:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<configProtectedData>
<providers>
  <add name="myCustomProvider"
       type="System.Configuration.RsaProtectedConfigurationProvider, 
                System.Configuration, Version=2.0.0.0,
                Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,
                processorArchitecture=MSIL"
                keyContainerName="MyKeys"
                useMachineContainer="true" />
</providers>
</configProtectedData>
<configSections>
</configSections>
<connectionStrings>
    <add name="myConnectionString"
    providerName="System.Data.SqlClient"
    connectionString="Data Source=myServerName;Initial 
    Catalog=myDefDatabase;User=myUser;Password=myPassword;Application 
    Name=myAppName" />
</connectionStrings>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
</startup>
</configuration>

Then I export my RSA key container to a file:

-px "MyKeys" "C:\Users\name.surname\Desktop\test\test.xml" -pri

And where should I import this xml file now? Does every user of my program has to exec this line?

aspnet_regiis -pi "MyKeys" test.xml

Now when I try to run my Winform program (even on the machine where the encryption was performed) I'm getting following error message:

Cannot decrypt using a provider myCustomProvider. Provider error message. An error occurred while decoding OAEP completion

Any help will be greatly apprecieate.