Encrypting or Decrypting the Configuration File
Since .NET 2.0 and Visual Studio 2005, the ability to encrypt the config file has been possible. This functionality is built-in to the aspnet_regiis.exe utility. This executable uses flags to designate a few items:
-pe for encrypting web projects registered with IIS
-pd for decrypting web projects registered with IIS
-pef for encrypting web projects using the Cassini (local) web server
-pdf for decrypting web projects using the Cassini (local) web server
-app for specifying the IIS registered virtual
To encrypt the connection strings settings, use the following approach:
aspnet_regiis -pe "connectionStrings" -app "/Virtual"
aspnet_regiis -pef "connectionStrings" "c:\websites\virtual"
To decrypt, use the following:
aspnet_regiis -pd "connectionStrings" -app "/Virtual"
aspnet_regiis -pdf "connectionStrings" "c:\websites\virtual"
This can be run even when Visual Studio is open; you'll be prompted that the file changed and do you want to reload it.
The difficult aspect to this is that the account that encrypts the password has to decrypt it, or you will get the "unable to descrypt connection strings error." Obviously, this is impractical. The way to get get around this is to add the account that will run the ASP.NET application (for IIS 5.1 on XP, this is the ASPNET account, but in Windows Server 2003 and IIS 6, it's the NETWORKSERVICE account). To grant permissions for these accounts to decrypt the connection string in the application, use:
aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORK SERVICE"
See more about this at: http://msdn.microsoft.com/en-us/library/yxw286t2.aspx. This grants the account permissions, and the automatic decryption can works successfully.
You do not need to write any code to decrypt the values; these values are automatically decrypted, with no apparent performance issues.