In fact, you can encrypt sections of your configuration files. it doesnโt "separate" from the configuration file, as you asked in your question, but it is more secure than storing unencrypted / unencrypted passwords in your configuration file.
An example of encryption of connection strings (from the command line):
aspnet_regiis -pe "connectionStrings" -app "/SampleApplication" -prov "RsaProtectedConfigurationProvider"
Please note that the same method can be applied to partitions, except for connection strings.
See the tutorial at: https://msdn.microsoft.com/en-us/library/zhhddkxy%28v=vs.140%29.aspx
To decrypt and encrypt a section of a Web.config file, the ASP.NET process must have permission to read the corresponding encryption key information. For more information, see Import and Export RSA Key Containers with Secure Configuration.
The application will be able to use the encrypted values โโinitially, but if the user had access to the configuration file, say through an archive file, the lines will still be encrypted.
Another tutorial that may contain additional information: http://www.codeproject.com/Tips/795135/Encrypt-ConnectionString-in-Web-Config
Please note that encryption is reversible with the appropriate key. Your safest bet will be to block remote access and share access to the area in which the configuration file is stored. Without any of these, your configuration file should not be accessible to anyone except server administrators.