You may find that you need to encrypt some sections of configuration files (such as Web.config) to protect sensitive information. Yet you may also need to decrypt that information to debug a running application.

You can do that in .NET 2.0 and higher using the aspnet_regiis.exe command-line utility. The utility supports two kinds of encryption methods or providers: the Windows Data Protection API (DPAPI) provider or the RSA provider. The RSA provider is the default.

For example, to encrypt the connectionStrings section in a Web.config file, open a command prompt and enter the following on a single line (substituting the appropriate path for the one shown in the example):

aspnet_regiis.exe -pef "connectionStrings"    "C:InetpubwwwrootYourWebSite"    prov "RSAProtectedConfigurationProvider"

To decrypt the same section, use:

aspnet_regiis.exe -pdf "connectionStrings" "C:InetpubwwwrootYourWebSite"

Note that you can’t encrypt “section groups” such as or ;you may encrypt only “sections”—and there are restrictions on those as well. For example, sections that you may not encrypt include , , and , because the ASP.NET/ISAPI engine needs access to them.