diff --git a/website/content/docs/secrets/transit.mdx b/website/content/docs/secrets/transit.mdx
index abd6eddd34f7334f6e577666dcf79b9178b1d6f4..700927297a5a3540fd61d55b59c83b90d5202894 100644
--- a/website/content/docs/secrets/transit.mdx
+++ b/website/content/docs/secrets/transit.mdx
@@ -239,29 +239,31 @@ transit keys.
 
 First, the wrapping key needs to be read from transit:
 
+```text
 $ vault read transit/wrapping_key
+```
 
 The wrapping key will be a 4096-bit RSA public key.
 
-Then the wrapping key is used to create the ciphertext input for the `import` endpoint.
-For the explanations below, the key being imported into Vault is referred to as the target
-key.
+Then the wrapping key is used to create the ciphertext input for the `import` endpoint,
+as described below. In the below, the target key refers to the key being imported.
 
 ### HSM
 
 If the key is being imported from an HSM that supports PKCS#11, there are
-two scenarios:
+two possible scenarios:
 
 - If the HSM supports the CKM_RSA_AES_KEY_WRAP mechanism, that can be used to wrap the
 target key using the wrapping key.
 
 - Otherwise, two mechanisms can be combined to wrap the target key. First, an AES key should
 be generated and then used to wrap the target key using the CKM_AES_KEY_WRAP_PAD mechanism.
-Then the AES key should be encrypted under the wrapping key using the CKM_RSA_PKCS_OAEP mechanism
+Then the AES key should be wrapped under the wrapping key using the CKM_RSA_PKCS_OAEP mechanism
 using MGF1 and either SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512.
 
-To create the ciphertext for input to transit's import endpoint, append the wrapped target key
-to the encrypted AES key and then encode the bytes in base64.
+The ciphertext is constructed by appending the wrapped target key to the wrapped AES key.
+
+The ciphertext bytes should be base64-encoded.
 
 ### Manual Process
 
@@ -272,7 +274,7 @@ the ciphertext for the input of the `import` endpoint:
 
 - Wrap the target key using the ephemeral AES key with AES-KWP.
 
-- Wrap the AES key under the wrapping key returned by Vault using RSAES-OAEP with MGF1 and
+- Wrap the AES key under the Vault wrapping key using RSAES-OAEP with MGF1 and
 either SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512.
 
 - Delete the ephemeral AES key.