Although a connection string stored in the web.config file is relatively safe since it will never be served to users by IIS, it is still best practice to encrypt all connection strings used in the ASP.NET application.
You can use the Aspnet_regiis.exe tool to do this with the -pe (provider encryption) command option to encrypt sections of the Web.config file. To encrypt the connectionStrings section run the below command from the command prompt:
aspnet_regiis -pe "connectionStrings" -app "/MachineDPAPI" -prov "DataProtectionConfigurationProvider"
In the above command, -pre specifies which configuration section to encrypt, -app specifies the virtual path to the application and -prov specifies the provider name (the .NET Framework supports RSAProtectedConfigurationProvider and DPAPIProtectedConfigurationProvider protected configuration providers)
- RSAProtectedConfigurationProvider. The default provider which uses the RSA public key encryption to encrypt and decrypt data. You should use this provider to encrypt config files for used on several Web servers in a Web farm.
- DPAPIProtectedConfigurationProvider. This provider uses the Windows Data Protection API (DPAPI) to encrypt and decrypt data. Use this provider to encrypt config files used on a single server.
It is not necessary to take any steps to decrypt the data since the ASP.NET runtime handles this seamlessly.
Note that you should also consider encrypting the <appSettings> , <indentity> and <sessionState> sections of the web.config file since these may also contain sensitive data.