According to this documentation you have two providers when encrypting configuration:
- RSAProtectedConfigurationProvider
- DPAPIProtectedConfigurationProvider
I have little knowledge about DPAPI so I can not say anything for or against it. When I considered to use encryption of web.config I chose RSA and defined other CSP to hold my RSA encryption key. You can set it in machine.config in configProtectedData element.
The mentioned page describes and guides you how to encrypt web.config sections using RSAProtectedConfigurationProvider. When using this provider, you have two options
- Machine-Level Container (RSA key will be stored in \Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys)
- User-Level Key Container (RSA key will be stored in \Documents and Settings{UserName}\Application Data\Microsoft\Crypto\RSA)
The guide then describes how to use the Aspnet_Regiis.exe tool with the RSAProtectedConfigurationProvider to encrypt sections of your configuration file.
To answer your second question. You do not need to re-compile the application but you do have to decrypt the section (connection string), change credentials and encrypt the section again. Or replace web.config with new one and encrypt again.
Pleas note that when encrypting a section you have to have encryption key on the same machine as web.config. The guide mentions how to export RSA key from one machine and import it to another for usage in web farms.
But think about this for a moment: When your application can decrypt the web.config (because it has to do it before using the connection string) then anyone can do this (if he can get to the machine). I know that permissions to use the key can be set etc. etc. but IMHO it is wrong practice to use passwords in connection string.
One last thing. The Aspnet_Regiis.exe tool mentioned in the guide above can encrypt only web.config. If you have app.config and want to encrypt it, look at this SO question.