I'm having a confusion attack on encrypting web.config, in order to hide configuration strings.

1) If I'm not using userid & password in config string, what might be the point of encrypting the configuration strings? Any?

2) I can't figure out how the ASP.NET finds the RSA key that was used to encrypt web.config during operation of the aspreg_iis encryption trick. Can the aspreg_iis encryption be run by be -ANY- identity that can do I/O on web.config, and ASP.NET is smart enough to find it the key? Does aspreg_iis do something to tell ASP.NET that the encryption has taken place, and that the key is somewhere in particular. Or does the aspiis_reg encryption trick have to be run by a particular identity that somehow is already correlated with ASP.NET?

Any help with this would be appreciated.

Thanks!

Got answer to 1)...no longer relevant to my situation, since I'm going to use userID and password, in order to have a user that has limited permissions...

2) would be interested still, though I've found lots of doc's on this, and expect to sort it out.