unfortunately the only thing user.config can override is the <appSettings section
In fact you can see how it works if you look at Web.config
so user.config is an arbitrary name, you could save it as somethinghardertoguess.config and then change the setting in Web.config to point to your custom file. Actually a good idea from a security perspective but one more thing to maintain.
unfortunately a custom machine key is also something one has to maintain in web.config over upgrades.
yes, there is a little good news for users who registered through RPX. mojoPortal does create an internal random password for those users but they don't need it since they authenticate against RPX openid service. They "could" use that password if they knew about it and login directly but typically they don't know that and only login via RPX, so they are much less likely to notice anything about the change to machine key, other than they will have to login again because their cookie will not be valid after changing the machine key.