This article steps through the process of encrypting and decrypting the "identity impersonation" in the web.config file.
NOTE: The drive and folder location of your OnSemble Portal may vary. Please verify the red text is correct before running. 

Encryption

1. From a command prompt, enter the command below:

cd  WINDOWS\Microsoft.net\Framework\v2.0.50727

PRESS ENTER, THEN ENTER:

aspnet_regiis -pa "NetFrameworkConfigurationKey" "NT AUTHORITY\NETWORKSERVICE"

-This Grants User Access to Encryption Key

If command not found or failed, enter:

aspnet_regiis -pc "NetFrameworkConfigurationKey" -exp

aspnet_regiis -pef "system.web/identity" "C:\Inetpub\wwwroot\production portal"

-This Encrypts Identity Tag

Decryption

1. From a command prompt, enter the command below:

aspnet_regiis -pdf "system.web/identity" "C:\Inetpub\wwwroot\production portal"

-This Decrypts Identity Tag

From this article- 

There is a tiny workaround you'll have to do to encrypt the agent/dtsearch.
1) Copy and Rename the config to web.config
2) Remove all sections except <portals> </portals>
3) Encrypt the section
4) Copy the encrypted section back to original config file
5) Leave the web.config file there so you can un-encrypt and copy and paste for updates 

Run the below through CMD Prompt (Run as Admin)

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" -pef "portals" "C:\Program Files\Passageways\Services\Agent"
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" -pef "WebsitesToIndex" "C:\Program Files\Passageways\Services\dtSearchIndexer"