I'm having a confusion attack on encrypting web.config, in order to hide configuration strings.
1) If I'm not using userid & password in config string, what might be the point of encrypting the configuration strings? Any?
2) I can't figure out how the ASP.NET finds the RSA key that was used to encrypt web.config during operation of the aspreg_iis encryption trick. Can the aspreg_iis encryption be run by be -ANY- identity that can do I/O on web.config, and ASP.NET is smart enough to find it the key? Does aspreg_iis do something to tell ASP.NET that the encryption has taken place, and that the key is somewhere in particular. Or does the aspiis_reg encryption trick have to be run by a particular identity that somehow is already correlated with ASP.NET?
Any help with this would be appreciated.