http://interactiveasp.net/blogs/natesstuff/archive/2008/07/16/encrypting-configuration-information-for-asp-net.aspxEvery company I consult with invariably has their own "security" assembly and they all have a hard-coded encryption key with the IV and the method to decrypt is right next to the method to encrypt. This is what I call marginal protection . YesenCommunityServer 2008 (Build: 30417.1769)