Items in the secureSettings section can be encrypted using the following command. Replace /webverifier if you are encrypting for another location.
C:\Windows\Microsoft.NET\Framework\v4.0.30319/aspnet_regiis -pe "secureSettings" -app "/webverifier" -prov "RsaProtectedConfigurationProvider"
By Default, Client Id and Client Secret are included in secureSettings, but any of the OAuth2Settings settings can be encrypted by moving the value to SecureSettings. If the same value appears in secureSettings and OAuth2Settings, the OAuth2Settings value will take precedence. This can be used to temporarily replace encrypted settings for testing purposes.
For more information on encrypting web.config, including how to decrypt values and how to control the encryption key so that it can be reused on other machines, please refer to the ASP.Net documentation from Microsoft.