How to protect your Web.config file

It is a good practice to encrypt your Web.config file if you have sensitive information there, for example a connection string with password.

With the ASP.NET IIS Registration tool (Aspnet_regiis.exe) you can easily encrypt specific sections of Web.config file. A command with elevated privileges is required.

Example using DataProtectionConfigurationProvider. This provider uses DPAPI to encrypt and decrypt data:

aspnet_regiis.exe -pef "connectionStrings" c:\inetpub\YourWebApp -prov "DataProtectionConfigurationProvider"

Example using RSAProtectedConfigurationProvider:

aspnet_regiis.exe -pef "connectionStrings" c:\inetpub\YourWebApp -prov "RSAProtectedConfigurationProvider"

If you do not specify the -prov parameter it uses RSAProtectedConfigurationProvider as default. This provider is recommended for Web Farm scenarios.

To get connectionStrings section back to clear text:

aspnet_regiis.exe -pdf "connectionStrings" c:\inetpub\YourWebApp

More information about the aspnet_regiis.exe is avaiable on MSDN.