Secure Sitecore ConnectionStrings using aspnet_regiis (see https://grantkillian.wordpress.com/2017/08/29/encrypting-sitecore-connection-strings-for-sitecore-commerce-azure-sql-and-beyond/ for more context)

SecureSitecoreConnectionStrings.ps1

<#
Note:
  -  The encyption is specific to each server, so this needs to be run separately on every IIS server
  -  ASPNet_RegIIS requires a web.config file to operate, so we have to massage our Sitecore .config into a web.config format it will understand

Steps:
1) Copy current Connectionstrings.config to a file named "web.config"
2) insert <configuration> node surrounding the <connectionStrings> XML
3) run this new web.config file through aspNet_RegIIS...

    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pef "connectionStrings" "S:\Sitecore\TEST-CMS\website\App_Config"

4) take the contents of the -- now encrypted -- web.config file and pull the information within the 
<connectionStrings>...</connectionStrings> nodes and overwrite what's currently in connectionStrings.config
#>

$configLocation = "S:\Sitecore\website\App_Config"

#this is here only in case you want a back-up, but don't blindly leave a back-up around or it defeats the purpose of encrypting
#Copy-Item -Path ($configLocation + "\connectionStrings.config") -Destination ($configLocation + "\connectionStrings.PlainText.backup")

Copy-Item -Path ($configLocation + "\connectionStrings.config") -Destination ($configLocation + "\web.config")

$plainConnectionStrings = Get-Content ($configLocation + "\web.config")
$plainConnectionStrings.replace('</connectionStrings>', '</connectionStrings></configuration>') | Set-Content ($configLocation + "\web.config")

$plainConnectionStrings = Get-Content ($configLocation + "\web.config")
$plainConnectionStrings.replace('<connectionStrings>', '<configuration><connectionStrings>') | Set-Content ($configLocation + "\web.config")

#Encrypt
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pef "connectionStrings" $configLocation

$encryptedString = Get-Content ($configLocation + "\web.config")
$encryptedString.replace('</connectionStrings></configuration>', '</connectionStrings>') | Set-Content ($configLocation + "\web.config")

$encryptedString = Get-Content ($configLocation + "\web.config")
$encryptedString.replace('<configuration><connectionStrings', '<connectionStrings') | Set-Content ($configLocation + "\web.config")

#this is now our XML to inject into the Sitecore connectionStrings.config
$encryptedString = Get-Content ($configLocation + "\web.config")

Clear-Content -Path ($configLocation + "\connectionStrings.config")

Set-Content -Path ($configLocation + "\connectionStrings.config") -Value $encryptedString

Remove-Item ($configLocation + "\web.config")

Write-Host "$configLocation\webconnectionStrings.config is now encrypted" -ForegroundColor Magenta

########################################################################
# to un-encrypt, run the following from the machine that performed the encryption.  ConnectionStrings will be revealed in plain text in a new web.config file

<#
$configLocation = "S:\Sitecore\website\App_Config"

Copy-Item -Path ($configLocation + "\connectionStrings.config") -Destination ($configLocation + "\web.config")

$plainConnectionStrings = Get-Content ($configLocation + "\web.config")
$plainConnectionStrings.replace('</connectionStrings>', '</connectionStrings></configuration>') | Set-Content ($configLocation + "\web.config")

$plainConnectionStrings = Get-Content ($configLocation + "\web.config")
$plainConnectionStrings.replace('<connectionStrings', '<configuration><connectionStrings') | Set-Content ($configLocation + "\web.config")

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pdf "connectionStrings" $configLocation

Write-Host "Check $configLocation\web.config for the plain text configuration" -ForegroundColor Magenta
#>