First, encrypting app.config in client applications is not as easy as using aspnet_regiis.exe for a single IIS server because using the DPAPIProtectedConfigurationProvider or the RSAProtectedConfigurationProvider is machine-specific, requiring encryption to be run on every machine where the client application is installed.

Second, as of this writing any code sample tried by be using SectionInformation.ProtectSection() is not working at runtime from within the context of the executing assembly or by using ConfigurationManager.OpenExeConfiguration() pointing to an out-of-process configuration file.

See “SectionInformation.ProtectSection Method” here:

http://msdn2.microsoft.com/en-us/library/
    system.configuration.sectioninformation.protectsection.aspx