It is possible. There are APIs for this (look at the System.Security.Cryptography ), or from the command line you can use aspnet_regiis:
aspnet_regiis -pc -exp : create an exportable key pair aspnet_regiis -px : export an RSA key pair to an XML file aspnet_regiis -pi : import an RSA key pair from an XML file aspnet_regiis -pa : add access for an account to a key container
Of course, when using encryption, you simply substitute the data protection problem (your connection string) with the key protection problem.
In your example, as you know, since you say that you know that it is not bulletproof, the user will need to have access to the key container so that it can decrypt the encrypted connection string.
In addition, anyone who receives an XML file containing an exported key pair can do this.
UPDATE
The deployment procedure will look something like this:
- Create the exported key on the developer's workstation (aspnet_regiis -pc -exp)
- Secure the configuration section to the developer's workstation using this key
- Export key to XML file (aspnet_regiis -px)
- Copy the XML file to the target computer
- Import key from XML file on target machine (aspnet_regiis -pi)
- Grant user accounts access to keys on the target machine (aspnet_regiis -pa)
Partitions encrypted using a secure configuration provider, such as RSAProtectedConfigurationProvider , will be decrypted automatically if the Windows identifier under which the application is running has read permission for the RSA key container.