ASP.NET machine key is a security token that is used by web applications to protect sensitive data.
ASP.NET web applications often use machine key to protect cookies, authentication tickets, resource identifiers etc.
By default, the machine key is automatically issued for web application on the first usage and stored at the machine storage. The second time web application needs to use machine key it uses the existing one which is loaded from the storage on demand. The said key is tied to machine by default, that's why it is called "machine" key.
A typical scenario for generated machine key is a web farm. Web farm consists of several machines (nodes) and every one of them hosts one instance of the given web application. The nodes typically sit behind load-balancer and are expected to have identical copies of the web application so that every client gets the same content no matter what node he was served by.
By default, every node in a web farm uses its own machine key. This immediately leads to disastrous consequences: the encrypted cookies produced by one node cannot be consumed by another node. For a customer it may look like he was logged off from the website all of a sudden, had his shopping cart emptied etc.
The obvious solution to the problem is to make all nodes in a web farm to share the same machine key. To achieve that, the machine key should be generated beforehand and placed at the configuration file so that all copies of the given web application use the same machine key no matter what physical or virtual machine they are running at.
Yes, technically. But your best bet is one machine key per one web application. This allows to eliminate possible security risks imposed by machine key sharing.
The machine key should be placed at Web.config file of your ASP.NET web application as shown below:
<configuration>
<system.web>
<machineKey ... />
</system.web>
</configuration>
Microsoft provides somewhat sparse documentation on concept of ASP.NET machine keys but it is better than nothing:
ASP.NET Machine Key Generator uses FIPS compliant pseudorandom entropy source. Communication is performed only over secure TLS/SSL protocol. The generator never stores the generated machine keys.