Sitecore stores plaintext passwords in the App_Config\ConnectionStrings.config file. Most of the case, we recommend our client to encrypt this file to prevent the passwords from being exposed if the file is accessed without authorization.

For instances that are hosted on premise then you can use ASP.NET IIS registration tool (aspnet_regiis) to encrypt the passwords. In a PaaS environment, you can protect your connection strings values by moving the raw connection string value to to the AppService connection string section.

However, the above method is only support all Core roles and XP Service roles except Index Worker, Automation Engine and Processing Engine (WebJobs). https://doc.sitecore.com/en/developers/100/platform-administration-and-architecture/protect-the-connection-string-passwords-from-unauthorized-access.html

I've filed a support ticket and work together with Sitecore support team, they have provided the below workaround solution. I've tested and it's work!

Workaround Solution

1. In Azure App Service > Configuration, add the connection strings in the following format to the Application Settings section and NOT the Connection Strings section. SITECORE_CONNECTIONSTRINGS_(NAME)
   
   So for example messaging, it will be SITECORE_CONNECTIONSTRINGS_MESSAGING (All capital)
   
   You will have to add this for each of the connection string entry from the Web Job ConnectionStrings.config. See the attached pictures for the example of my App Service Application Settings.

2. Once you have added all the connection strings to the Application Settings, save the settings. Azure will automatically restart your application.

3. Go to the ConnectionStrings.config file of the Web Job, and remove only the value of the connection strings. So this is how the file should look, The ConnectionStrings.config file will be under D:\home\site\wwwroot\App_Data\jobs\continuous\<JobName>\App_Config

4. Save the file. Check the logs to see if the web job is running without any errors. (The Web Job might fail the first time, but after it starts again, it should work.)

More information

Sitecore support team also suggested to encrypt the connectionStrings using aspnet_regiis via Kudu tool as a workaround.

However, Microsoft confirmed that it is not supported as PaaS, Azure App Service is supported by groups of Azure worker instances, due to Azure platform activities such a maintenance etc., Azure App Service resources would change worker instance, but the encrypted data by aspnet_regiis.exe in worker instance A cannot be used in worker instance B.