A best practice for Production environments is to encrypt your connectionStrings to protect data in case the web.config file is accessed “without authorization”.
My colleague Grant Killian wrote an excellent article in 2017 on the topic of encryption, the Microsoft ASP.NET IIS Registration Tool (aspnet_regiis.exe) is the focus in the updated Security Hardening guidelines of Sitecore.
Using the aspent_regiis.exe is achieved via a single Command Line entry. In both instances of encryption and decryption the examples use the specified physical path for the roles. The ASP.NET IIS Registration Tool page has several configuration options.
Note: Run your Command Prompt as an Administrator. The following examples were run on Server 2016.
Encrypt Sitecore 9 connectionStrings
Each Sitecore role requires the encryption ran. As an example, this run in a Command Prompt (Admin) would encrypt the SitecoreCMS role.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pef "connectionStrings" "S:\Sitecore\SitecoreCMS"
Decrypt Sitecore 9 connectionStrings
Decryption of the connectionStrings is a one liner in a Command Prompt (Admin) as well. Here is a sample of decrypting the SitecoreCMS role.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pdf "connectionStrings" "S:\Sitecore\SitecoreCMS"