Managing passwords in continuous deployment

One possible solution, available since TeamCity 7.0, is to use typed parameters. You can define a parameter in TeamCity of type password, and pass it somehow to your build script (either as environment variable or as your build script property).

TeamCity stores values of such parameters in its own configuration files and in database in scrambled form. If password appears in build log or on build parameters page, it will be replaced with ***.

Use config transformations. You can even build your own transformation that can handle encryption/decryption. The easiest way is encrypt the production strings in the release.web.config and use a transformation to handle replacing the connection strings.

http://msdn.microsoft.com/en-us/library/dd465318.aspx

http://sedodream.com/2010/09/09/ExtendingXMLWebconfigConfigTransformation.aspx

If this doesn't work for you, use a postbuild event to call aspnet_regiis. If you chose to extend the config transformation, you can do ANYTHING with it. The encryption keys could be on the moon as long as you can get to them.