I wrote a post called Encrypt Connection Strings, AppSettings and Web.Config in ASP.NET 2.0 - Security Best Practices that discusses programmatically encrypting various sections of your web.config in ASP.NET 2.0.

Today a question came up about how to encrypt connection strings programmatically in your app.config. I won't pretend to be a windows developer, but the following code seemed to do the trick:

Configuration config =
    ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
ConfigurationSection section = config.GetSection("connectionStrings");
if (section != null)
{
    if (!section.IsReadOnly())
    {
        section.SectionInformation.
               ProtectSection("RsaProtectedConfigurationProvider");
        section.SectionInformation.ForceSave = true;

        config.Save(ConfigurationSaveMode.Full);
    }
}

You can add more checks to verify it isn't encrypted already as well as use the DPAPI provider instead, but this gets across the idea.

If anyone knows of another or better way, I would love to hear it.

Additional Resources:

• Besides my article above, Scott Mitchell wrote a thorough article on encrypting configuration information in ASP.NET 2.0, called Encrypting Configuration Information in ASP.NET 2.0 Applications.