The following answer in github presented a relative easy way to do the transfer, couldn't find anything better:

Moving keys that are encrypted using the default mechanism is probably something that will never be supported / documented because of how fragile and error-prone it is. The easiest and most fool-proof way to migrate a live web app would be what @blowdart suggests: configure the Data Protection system to use the file system as the key repository, and also configure it to use an X.509 certificate to protect keys at rest. You can even do this using a console application and watch the key files get dropped on disk. Then change your web app's startup config to use the same repository / protection mechanism. After a few days (default 48 hours) the key rotation policy will kick in and the web application will start using the new keys on disk rather than the old keys from the registry. (The old keys will still be able to decrypt existing auth tokens, but they won't be used to issue new auth tokens.) Wait a few more days to make sure that all existing logged-on users have had their auth tokens refreshed. Then you can move the web application - keys and all - to the new machine. You'll lose the ability to decrypt with the old keys, but this shouldn't result in service interruption since all logged-on users should have had their auth tokens refreshed over the waiting period.