As far as I can tell, any section in a web.config file can be encrypted & decrypted using aspnet_regiis.exe.
If aspnet_regiis can be used to decrypt the web.config file, then what's the point of encrypting it? Is it just to keep passwords & sensitive information from being stored as plain text? If anyone with the file and the exe can decrypt it, does it really protect sensitive config info?
UPDATE
Thanks to everyone who answered regarding the machine key. The reason I asked this question is because we have an open source project hosted at codeplex.com. However, we also deploy this project to Windows Azure. I am trying to find a best approach to keep the sensitive passwords out of source control, but keep them accessible as part of my project for when I deploy to Azure.
Currently, I am using web config transforms to store the Azure connection strings (as well as Gmail passwords for system.net). I've created a Web.PublishToAzure.config transform file, and just kept that file out of source control. I also found this article which may be a better option. Thanks again.
