Hi,

I use the code below to encypt and decrypt connectionstrings in the 
web.config files.
It works good but I don't understand somthing about the decryption. An 
hacker that gain the web.config file with the encrypted data, can copy it to 
a new web site that he created and use this line of code  
section.SectionInformation.UnprotectSection() and so get the connectionstring 
in plain text .I tried it. I copyed the web config to a new web site and then 
used this line of code and I got the original connectionstring. !!!!
Am I right ? If I am, It is not a security solution.


public void EncryptConnString()
    {
        Configuration config = 
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
        ConfigurationSection section = config.GetSection("connectionStrings");
        if (!section.SectionInformation.IsProtected)
        {
            
section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
            config.Save();
        }
    }


public void DecryptConnString()
    {
        Configuration config = 
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
        ConfigurationSection section = config.GetSection("connectionStrings");
        if (section.SectionInformation.IsProtected)
        {
            section.SectionInformation.UnprotectSection();
            config.Save();
        }
    } 

 
Thanks,

 David