You can use this command-line tool:

%WinDir%\\Microsoft.NET\\Framework\\v2.0.50727\\aspnet_regiis.exe

Or you can do it inside a .NET process as described here:

http://davidhayden.com/blog/dave/archive/2005/11/17/2572.aspx

My preference today is to use this form in web.config:

<configSections>
    <section
          name="MySecrets"
          type="System.Configuration.SingleTagSectionHandler"
    />
</configSections>

<MySecrets
   FavoriteMusic="Disco"
   FavoriteLanguage="COBOL"
   DreamJob="Dancing in the opening ceremonies of the Olympics"
/>

This allows me to target a specific Configuration Section by running this command from the directory in which web.config resides:

aspnet_regiis -pef MySecrets .

Note that the period (.) is shorthand for the relative location of web.config.

Scott Guthrie introduces this pattern (by K. Scott Allen) here:

http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx

Download Robert Shelton’s video on this subject here:

http://channel9.msdn.com/Showpost.aspx?postid=134210

You may get an error like, “Error message from the provider: The RSA key container could not be opened.” This problem is covered in the Microsoft article, “Walkthrough: Encrypting Configuration Information Using Protected Configuration” here:

http://msdn2.microsoft.com/en-us/library/dtkwfdky.aspx

This RSA key container error is usually solved by this command (all on one line):

 aspnet_regiis -pa
    "NetFrameworkConfigurationKey" "YOURSERVER\\IUSR_YOURSERVER"

and

 aspnet_regiis -pa
    "NetFrameworkConfigurationKey" "NT AUTHORITY\\NETWORK SERVICE"

This command, however, may throw an error like, “The RSA key container was not found.” This means that you need to encrypt something first so you are in a bit of a chicken-or-egg thing.