Encryting Config files


I was wondering if there was any way to modify the order in which these “features” are being run:

Or if perhaps there was a way to insert a custom feature in there or replace one.

Our problem is such: we have a security requirement that prevents us from leaving connection strings in clear text in our deployed web app and services.

We created a script module that encrypts the connection string section of the config file using aspnet_regiis tool and we would like to run this script immediately after feature “5. Substitute Octopus Variables in files” or “7. XML Configuration Variables” or even run it as part of one of those features…

Is there any way to do that?

If there isn’t, for now, we run our script module as a deployment script, but since we use custom installation directories for our packages,

  1. The packages first get pushed to C:\Octopus\Applications\EnvironmentName\PackageName\PackageVersion
  2. The octopus variables get substituted in the config files
  3. The whole directory gets copied to the custom install dir
  4. Encryption takes place in our deployment script

This leaves clear text values in C:\Octopus\Applications\EnvironmentName\PackageName\PackageVersion

Is there a way to avoid leaving anything in that original directory where everything gets pushed?

Thanks in advance,


This should probably be in the Questions thread. Sorry about that…

Hi Robert,

Thanks for reaching out. Dont worry about the thread, as long as it is on help.octopusdeploy.com, you’ll always be in the right place :slight_smile:

The easiest way on this case would be to delete everything from C:\Octopus\Applications\EnvironmentName\PackageName\PackageVersion after you make the deployment and the substitutions. There’s a variable that holds the value of that path called #{OctopusOriginalPackageDirectoryPath}.

Adding this line of code as a post build script should do:

Remove-item #{OctopusOriginalPackageDirectoryPath} -force -verbose -recurse

Hope that helps!


Hi Dalmiro,

Thank you for the answer.

Although I do agree it is the easiest way, and it is the way we implemented it for now. It is however not the safest way and I’m afraid it might not be an acceptable solution for our client.

Would it be at all possible to edit the variable replacement scripts? It would feel like a hack, but it might be necessary for us.



Hi Robert,

Unfortunately its not possible to edit the built-in variable replacement script. What you could turn off the variable replacement feature and add your own pre-deploy script to handle the replacements.