Encrypt Web.Config (Web.Release.config) Transform files using aspnet_regiis

The way I was able to make this work was by going to each machine and encrypting the web.config there with the correct connection string and then copying the newly encrypted connection string section into the appropriate web.cong transform. It is a huge pain but it works.

You can keep your production transform file in a secrets repository that only your ops team can access. Your CI system would reference both repos and copy the transform file from your secrets repo to your build directory and compile as you do now.

This would remove any sensitive config values from your primary repository and still allow your to leverage the transforms capabilities.

Try following, I have just given the example of protecting connection string. Replace the tag you want to replace using System.Configuration;

 ExeConfigurationFileMap configMap = new ExeConfigurationFileMap();                configMap.ExeConfigFilename = modulePath + "Web.Release.config";                System.Configuration.Configuration config = ConfigurationManager.OpenMappedExeConfiguration(configMap, ConfigurationUserLevel.None);                System.Configuration.ConfigurationSection section = config.GetSection("connectionStrings");                if (!section.SectionInformation.IsProtected)                {                                   section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");                    config.Save();                }