Ideally not to rely on this information, it would be better to have authentication done by other more secure mechanisms, such as Integrated Security
. Having said that, we are going to the solution requested:
You will basically use the aspnet_regiis.exe
utility. It is in the C:\Windows\Microsoft.NET\Framework\vX.Y.ZZZZZ
directory. Do not forget that you must have administrator privilege to run it. Example usage:
aspnet_regiis -pef "connectionStrings" "c:\diretorio\Web.config"
There is no miracle. Encryption does not guarantee anything if you need it to be easily decrypted. You could provide a custom form of encryption but you would need to have a key and an algorithm to decrypt this. If someone has access to your Web.config
you will probably have your application contain both and it will be decrypted. So it's best to let the operating system and database take care of this. They will do a better job even though a fully committed server can give access to anything.
But if he can only read his Web.config
file, he will not be able to do much of anything outside the computer where he was encrypted and will not be able to revert to the original state. This encryption is dependent on the environment where it is made. That's why you can not do it on your development machine and copy it to the production machine. Encryption must always be done on the production machine. Only you can decrypt.
Documentation . More details .