Section level encryption of ASP.NET settings in IIS 7
As you know, ASP.NET supports section level encryption for protecting its configuration. It supports both RSA, which is default, and DPAPI out of the box and it also provides a way to use a custom protection provider. (Click here for more information on using RSA. Click here for DPAPI.) The most commonly encrypted sections are appSettings, connectionStrings, identity and sesstionState.
While the initial encryption is done using the aspnet_regiis.exe, once the sections are encrypted, IIS 6 inetmgr allowed the users to view the encrypted settings in clear text (ie. the UI decrypted the sections) and it also allowed the users to edit the values and saved the settings encrypted (ie. the UI re-encrypted the sections).
Unfortunately, in IIS 7, the inetmgr does not know how to handle encrypted sections for ASP.NET settings. It is important to note that the section level encryption is still supported and it is as secure as it was in IIS 6. It is just that the manageability of the encrypted sections is not supported in the IIS 7 inetmgr. If the connection string section is encrypted in configuration, the user will see the following error when clicking on the connection string icon in IIS 7 inetmgr:
There was an error while performing this operation.
Details:
Filename: <path to configuration file>
Line number: <line number>
Error: Configuration section encryption is not supported
This was a consious design decision in IIS 7.
I still recommend the users to encrypt and secure the ASP.NET settings that they find sensitive. However, in order to view the values and/or update them, the users will first have to manually decrypt the sections using aspnet_regiis.exe, edit the file, and again re-encrypt the sections using aspnet_regiis.exe. The steps to encrypt and decrypt the sections using RSA and DPAPI are provided in the links above.