From 0a97f95ff449867d9a6c259edc1ef688db97a042 Mon Sep 17 00:00:00 2001
From: Yoko <yoko@hashicorp.com>
Date: Tue, 8 Jan 2019 17:57:43 -0800
Subject: [PATCH] Document upper limit on Transit encryption size (#6014)

---
 website/source/api/secret/transit/index.html.md   | 8 +++++++-
 website/source/docs/secrets/transit/index.html.md | 7 ++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/website/source/api/secret/transit/index.html.md b/website/source/api/secret/transit/index.html.md
index 7ead2315c..a0afa70e8 100644
--- a/website/source/api/secret/transit/index.html.md
+++ b/website/source/api/secret/transit/index.html.md
@@ -385,6 +385,12 @@ will be returned.
 }
 ```
 
+!> Vault HTTP API imposes a maximum request size of 32MB to prevent a denial
+of service attack. This can be tuned per [`listener`
+block](/docs/configuration/listener/tcp.html) in the Vault server
+configuration.
+
+
 ### Sample Request
 
 ```
@@ -966,7 +972,7 @@ input to this endpoint should be the output of `/backup` endpoint.
  ~> For safety, by default the backend will refuse to restore to an existing
  key. If you want to reuse a key name, it is recommended you delete the key
  before restoring. It is a good idea to attempt restoring to a different key
- name first to verify that the operation successfully completes. 
+ name first to verify that the operation successfully completes.
 
 | Method   | Path                        | Produces               |
 | :------- | :-------------------------- | :--------------------- |
diff --git a/website/source/docs/secrets/transit/index.html.md b/website/source/docs/secrets/transit/index.html.md
index e814d80e2..7bf6998fe 100644
--- a/website/source/docs/secrets/transit/index.html.md
+++ b/website/source/docs/secrets/transit/index.html.md
@@ -63,7 +63,7 @@ types also generate separate HMAC keys):
 * `ecdsa-p256`: ECDSA using curve P256; supports signing and signature
   verification
 * `rsa-2048`: 2048-bit RSA key; supports encryption, decryption, signing, and
-  signature verification 
+  signature verification
 * `rsa-4096`: 4096-bit RSA key; supports encryption, decryption, signing, and
   signature verification
 
@@ -144,6 +144,11 @@ the proper permission, it can use this secrets engine.
     for storing the encrypted ciphertext. When the caller wants the plaintext,
     it must provide the ciphertext back to Vault to decrypt the value.
 
+    !> Vault HTTP API imposes a maximum request size of 32MB to prevent a denial
+    of service attack. This can be tuned per [`listener`
+    block](/docs/configuration/listener/tcp.html) in the Vault server
+    configuration.
+
 1. Decrypt a piece of data using the `/decrypt` endpoint with a named key:
 
     ```text