I wrote a routine to Encrypt/Decrypt web.config that doesn't need machine access (I assume that ASPNET_REGIIS would need such access, not available, for example, in Azure Web Services). Here is the code. I do believe such code could be run on each server in a farm giving each server access to the encrypted web.config (per web application) without having to pass around a shared secret (XML file) or use RSA (ASPNET_REGIIS):
protected void Encrypt_Click(object sender, EventArgs e)
{
// Get configuration information about Web.config
Configuration config =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
// Let's work with the <connectionStrings> section
ConfigurationSection connectionStrings = config.GetSection("connectionStrings");
if (connectionStrings != null)
// Only encrypt the section if it is not already protected
if (!connectionStrings.SectionInformation.IsProtected)
{
// Encrypt the <connectionStrings> section using the
// DataProtectionConfigurationProvider provider
connectionStrings.SectionInformation.ProtectSection(
"DataProtectionConfigurationProvider");
config.Save();
// Refresh the Web.config display
DisplayWebConfig();
}
}