Transform encrypted connect strings for web.config?

How do you handle web.config connect strings that are encrypted but must vary by environment?

Can’t you do something like this:

cast the web.config as XML and search for the conn string name and replace the encrypted string with a encrypted constring that you store as a variable in octopus? then you could hide the encrypted string by using private on the variable.

function update-connectionstrings($configFile, $NameString, $oldValue, $newValue)
[xml]$xml=[xml](Get-Content $configFile -ErrorAction SilentlyContinue)
foreach($connstring in $xml.configuration.connectionStrings.add)
if (($ -like “$nameString”)
$old = $connstring.connectionstring
$new = $old.replace($oldvalue, $newValue)
($connstring.connectionstring) = $new
if(Get-ItemProperty $configfile -name isreadonly)
{ Set-ItemProperty $configFile -Name isreadonly -Value $false}

write-host "old value $old"
write-host "new value $new" 


$cnfgPath = “D:\configs” #path to config file
$EnvironmentName = $OctopusParameters[‘Octopus.Environment.Name’]
$subEnv = ($EnvironmentName.Split("-"))[0]
$configPath = $cnfgPath + “web.config”

#newDBName= The name of the READONLY Database server to change the connection string to. if it does not exist as a variable in octopus it will not update the connection strings
#oldDBName= This is the name of the availability group that needs to change if this is blank it will not update the connection strings

if(($oldDBName) -and ($newDBName))
Write-host "Changing Config File $configPath"
update-connectionstrings $configPath “ProductRuntime” $oldDBName $newDBName
Write-host “Variables old uri: $oldUriValue New Uri: $newUriValue OldDb: $oldDBName NewDB:$newDBName”


Thanks for reaching out. We have a blog post about that should be a pretty good starting point

Let me know if it helps