fix formatting and tweak wording

5736c2d0 · rculpepper · c4b54401 · 5736c2d0
Commit 5736c2d0 authored 3 years ago by rculpepper
Hide whitespace changes
Inline Side-by-side

Showing

with 10 additions and 8 deletions
+10 -8
--- a/website/content/docs/secrets/transit.mdx
+++ b/website/content/docs/secrets/transit.mdx
@@ -239,29 +239,31 @@ transit keys.

 First, the wrapping key needs to be read from transit:

+```text
 $ vault read transit/wrapping_key
+```

 The wrapping key will be a 4096-bit RSA public key.

-Then the wrapping key is used to create the ciphertext input for the `import` endpoint.
-For the explanations below, the key being imported into Vault is referred to as the target
-key.
+Then the wrapping key is used to create the ciphertext input for the `import` endpoint,
+as described below. In the below, the target key refers to the key being imported.

 ### HSM

 If the key is being imported from an HSM that supports PKCS#11, there are
-two scenarios:
+two possible scenarios:

 - If the HSM supports the CKM_RSA_AES_KEY_WRAP mechanism, that can be used to wrap the
 target key using the wrapping key.

 - Otherwise, two mechanisms can be combined to wrap the target key. First, an AES key should
 be generated and then used to wrap the target key using the CKM_AES_KEY_WRAP_PAD mechanism.
-Then the AES key should be encrypted under the wrapping key using the CKM_RSA_PKCS_OAEP mechanism
+Then the AES key should be wrapped under the wrapping key using the CKM_RSA_PKCS_OAEP mechanism
 using MGF1 and either SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512.

-To create the ciphertext for input to transit's import endpoint, append the wrapped target key
-to the encrypted AES key and then encode the bytes in base64.
+The ciphertext is constructed by appending the wrapped target key to the wrapped AES key.
+
+The ciphertext bytes should be base64-encoded.

 ### Manual Process

@@ -272,7 +274,7 @@ the ciphertext for the input of the `import` endpoint:

 - Wrap the target key using the ephemeral AES key with AES-KWP.

- Wrap the AES key under the wrapping key returned by Vault using RSAES-OAEP with MGF1 and
+- Wrap the AES key under the Vault wrapping key using RSAES-OAEP with MGF1 and
 either SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512.

 - Delete the ephemeral AES key.