aspnet_regiis encrypt webconfig using custom provider

Question

i am trying to encrypt the connection string by using

aspnet_regiis -pef "connectionStrings" "C:\Proj"

It gave me an encrypted beautiful encrypted string

However, it can be decrypted easily by running

aspnet_regiis -pdf "connectionStrings" "C:\Proj"

In this case, it is not useful.

My requirement is just want to encrypt the connection string and only me can decrypt it (but not any other ppls who have the access to the server or account)

It is found that default aspnet_regiis is using DPAPI to get the KEY

And using custom provider can achieve what i wanted

Then i tried

create a custom key

aspnet_regiis -pc "myKey" -exp

grant it to iis app pool

 aspnet_regiis -pa "IIS AppPool\DPool"

encrypt it

aspnet_regiis -pef connectionStrings c:\project -prov "customProvider"

after that the connectionStrings is encrypted correctly.

However, I found that there is no way to remove the dependence between the custom provider key and web.config

User can see something like in the web.config

<configProtectedData>
        <providers>
        <add name="customProvider"
  type="System.Configuration.RsaProtectedConfigurationProvider, System.Configuration, Version=2.0.0.0,&#xD;&#xA;        Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
  keyContainerName="myKey"
  useMachineContainer="true" />
        </providers>
    </configProtectedData>
    <connectionStrings configProtectionProvider="customProvider">
        <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
            xmlns="http://www.w3.org/2001/04/xmlenc#">
            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
                    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
                    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <KeyName>Rsa Key</KeyName>
                    </KeyInfo>
                    <CipherData>
                        <CipherValue>ICeYUc4dqh2XkxcQzB5VQc7egRcJfPLNOgoJTveUJlEvc67dzGUO13TYiAe/X1bKvouSfUUba4SXX981bhf26Z79e03ht8PciFBrcRCTRvsYYtcN4c8jRMoHYRcfd1bSGs7uWueR2+//SCZihwR8sfU6g8HTaSit7e0sxkzlIGE=</CipherValue>
                    </CipherData>
                </EncryptedKey>
            </KeyInfo>
            <CipherData>
                <CipherValue>TRrubEXUzzhqFXXhTt3hjsvjHPqxcJENNlYNkNBMSDEhzlowdV10r/2W7ln38DiZU4Jt0gYUcHKt/dBAM1Y0vNlqctKQMF0hD4VxK5E27D+uynyvUjcLIzCOTtSq4MLbiimGo0NC9rB7wax3Wxmlx6SPeGo6RLkvM2GyjfzwKx7mGqodV9rgX7O7nb+8YVCJdMJsckMUcyZDYbxINl+LmUjv3kJFtU3/3dV3s0pSZfNGURau8JQf4+UI/XMXQrHiU6fbfMdb5GEsEUkqHJh2foEbAfBVAz7F7vMtwVZ+Vvue7bOyFub8rGbmLOLifnSuEp8krJitTg7wQ9Dwdb6BxQ==</CipherValue>
            </CipherData>
        </EncryptedData>
    </connectionStrings>

in this case the custom keycontainer is exposed (and i couldn't remove it otherwise the web site also unable to access decrypt the connection strings)

obviously, everyone can still execute the command to decrypt the connection strings

aspnet_regiis -pdf connectionStrings "C:\Proj" 

it means the issue is still not solved even i applied custom RSA key container provider.

Is there something I missed ? Are there really some dependency which i can remove so that ppls cannot decrypt the connectionString by running -pdf, and at the same time the IIS can read the connectionstring correctly?