diff --git a/cli/commands.go b/cli/commands.go
deleted file mode 100644
index 22c8640a9..000000000
--- a/cli/commands.go
+++ /dev/null
@@ -1,389 +0,0 @@
-package cli
-
-import (
-	"os"
-
-	auditFile "github.com/hashicorp/vault/builtin/audit/file"
-	auditSocket "github.com/hashicorp/vault/builtin/audit/socket"
-	auditSyslog "github.com/hashicorp/vault/builtin/audit/syslog"
-	"github.com/hashicorp/vault/physical"
-	"github.com/hashicorp/vault/version"
-
-	credGcp "github.com/hashicorp/vault-plugin-auth-gcp/plugin"
-	credKube "github.com/hashicorp/vault-plugin-auth-kubernetes"
-	credAppId "github.com/hashicorp/vault/builtin/credential/app-id"
-	credAppRole "github.com/hashicorp/vault/builtin/credential/approle"
-	credAws "github.com/hashicorp/vault/builtin/credential/aws"
-	credCert "github.com/hashicorp/vault/builtin/credential/cert"
-	credGitHub "github.com/hashicorp/vault/builtin/credential/github"
-	credLdap "github.com/hashicorp/vault/builtin/credential/ldap"
-	credOkta "github.com/hashicorp/vault/builtin/credential/okta"
-	credRadius "github.com/hashicorp/vault/builtin/credential/radius"
-	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
-
-	physAzure "github.com/hashicorp/vault/physical/azure"
-	physCassandra "github.com/hashicorp/vault/physical/cassandra"
-	physCockroachDB "github.com/hashicorp/vault/physical/cockroachdb"
-	physConsul "github.com/hashicorp/vault/physical/consul"
-	physCouchDB "github.com/hashicorp/vault/physical/couchdb"
-	physDynamoDB "github.com/hashicorp/vault/physical/dynamodb"
-	physEtcd "github.com/hashicorp/vault/physical/etcd"
-	physFile "github.com/hashicorp/vault/physical/file"
-	physGCS "github.com/hashicorp/vault/physical/gcs"
-	physInmem "github.com/hashicorp/vault/physical/inmem"
-	physMSSQL "github.com/hashicorp/vault/physical/mssql"
-	physMySQL "github.com/hashicorp/vault/physical/mysql"
-	physPostgreSQL "github.com/hashicorp/vault/physical/postgresql"
-	physS3 "github.com/hashicorp/vault/physical/s3"
-	physSwift "github.com/hashicorp/vault/physical/swift"
-	physZooKeeper "github.com/hashicorp/vault/physical/zookeeper"
-
-	"github.com/hashicorp/vault/builtin/logical/aws"
-	"github.com/hashicorp/vault/builtin/logical/cassandra"
-	"github.com/hashicorp/vault/builtin/logical/consul"
-	"github.com/hashicorp/vault/builtin/logical/database"
-	"github.com/hashicorp/vault/builtin/logical/mongodb"
-	"github.com/hashicorp/vault/builtin/logical/mssql"
-	"github.com/hashicorp/vault/builtin/logical/mysql"
-	"github.com/hashicorp/vault/builtin/logical/pki"
-	"github.com/hashicorp/vault/builtin/logical/postgresql"
-	"github.com/hashicorp/vault/builtin/logical/rabbitmq"
-	"github.com/hashicorp/vault/builtin/logical/ssh"
-	"github.com/hashicorp/vault/builtin/logical/totp"
-	"github.com/hashicorp/vault/builtin/logical/transit"
-	"github.com/hashicorp/vault/builtin/plugin"
-
-	"github.com/hashicorp/vault/audit"
-	"github.com/hashicorp/vault/command"
-	"github.com/hashicorp/vault/logical"
-	"github.com/hashicorp/vault/meta"
-	"github.com/mitchellh/cli"
-)
-
-// Commands returns the mapping of CLI commands for Vault. The meta
-// parameter lets you set meta options for all commands.
-func Commands(metaPtr *meta.Meta) map[string]cli.CommandFactory {
-	if metaPtr == nil {
-		metaPtr = &meta.Meta{
-			TokenHelper: command.DefaultTokenHelper,
-		}
-	}
-
-	if metaPtr.Ui == nil {
-		metaPtr.Ui = &cli.BasicUi{
-			Writer:      os.Stdout,
-			ErrorWriter: os.Stderr,
-		}
-	}
-
-	return map[string]cli.CommandFactory{
-		"init": func() (cli.Command, error) {
-			return &command.InitCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-		"server": func() (cli.Command, error) {
-			c := &command.ServerCommand{
-				Meta: *metaPtr,
-				AuditBackends: map[string]audit.Factory{
-					"file":   auditFile.Factory,
-					"syslog": auditSyslog.Factory,
-					"socket": auditSocket.Factory,
-				},
-				CredentialBackends: map[string]logical.Factory{
-					"approle":    credAppRole.Factory,
-					"cert":       credCert.Factory,
-					"aws":        credAws.Factory,
-					"app-id":     credAppId.Factory,
-					"gcp":        credGcp.Factory,
-					"github":     credGitHub.Factory,
-					"userpass":   credUserpass.Factory,
-					"ldap":       credLdap.Factory,
-					"okta":       credOkta.Factory,
-					"radius":     credRadius.Factory,
-					"kubernetes": credKube.Factory,
-					"plugin":     plugin.Factory,
-				},
-				LogicalBackends: map[string]logical.Factory{
-					"aws":        aws.Factory,
-					"consul":     consul.Factory,
-					"postgresql": postgresql.Factory,
-					"cassandra":  cassandra.Factory,
-					"pki":        pki.Factory,
-					"transit":    transit.Factory,
-					"mongodb":    mongodb.Factory,
-					"mssql":      mssql.Factory,
-					"mysql":      mysql.Factory,
-					"ssh":        ssh.Factory,
-					"rabbitmq":   rabbitmq.Factory,
-					"database":   database.Factory,
-					"totp":       totp.Factory,
-					"plugin":     plugin.Factory,
-				},
-
-				ShutdownCh: command.MakeShutdownCh(),
-				SighupCh:   command.MakeSighupCh(),
-			}
-
-			c.PhysicalBackends = map[string]physical.Factory{
-				"azure":                  physAzure.NewAzureBackend,
-				"cassandra":              physCassandra.NewCassandraBackend,
-				"cockroachdb":            physCockroachDB.NewCockroachDBBackend,
-				"consul":                 physConsul.NewConsulBackend,
-				"couchdb":                physCouchDB.NewCouchDBBackend,
-				"couchdb_transactional":  physCouchDB.NewTransactionalCouchDBBackend,
-				"dynamodb":               physDynamoDB.NewDynamoDBBackend,
-				"etcd":                   physEtcd.NewEtcdBackend,
-				"file":                   physFile.NewFileBackend,
-				"file_transactional":     physFile.NewTransactionalFileBackend,
-				"gcs":                    physGCS.NewGCSBackend,
-				"inmem":                  physInmem.NewInmem,
-				"inmem_ha":               physInmem.NewInmemHA,
-				"inmem_transactional":    physInmem.NewTransactionalInmem,
-				"inmem_transactional_ha": physInmem.NewTransactionalInmemHA,
-				"mssql":                  physMSSQL.NewMSSQLBackend,
-				"mysql":                  physMySQL.NewMySQLBackend,
-				"postgresql":             physPostgreSQL.NewPostgreSQLBackend,
-				"s3":                     physS3.NewS3Backend,
-				"swift":                  physSwift.NewSwiftBackend,
-				"zookeeper":              physZooKeeper.NewZooKeeperBackend,
-			}
-
-			return c, nil
-		},
-
-		"ssh": func() (cli.Command, error) {
-			return &command.SSHCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"path-help": func() (cli.Command, error) {
-			return &command.PathHelpCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"auth": func() (cli.Command, error) {
-			return &command.AuthCommand{
-				Meta: *metaPtr,
-				Handlers: map[string]command.AuthHandler{
-					"github":   &credGitHub.CLIHandler{},
-					"userpass": &credUserpass.CLIHandler{DefaultMount: "userpass"},
-					"ldap":     &credLdap.CLIHandler{},
-					"okta":     &credOkta.CLIHandler{},
-					"cert":     &credCert.CLIHandler{},
-					"aws":      &credAws.CLIHandler{},
-					"radius":   &credUserpass.CLIHandler{DefaultMount: "radius"},
-				},
-			}, nil
-		},
-
-		"auth-enable": func() (cli.Command, error) {
-			return &command.AuthEnableCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"auth-disable": func() (cli.Command, error) {
-			return &command.AuthDisableCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"audit-list": func() (cli.Command, error) {
-			return &command.AuditListCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"audit-disable": func() (cli.Command, error) {
-			return &command.AuditDisableCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"audit-enable": func() (cli.Command, error) {
-			return &command.AuditEnableCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"key-status": func() (cli.Command, error) {
-			return &command.KeyStatusCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"policies": func() (cli.Command, error) {
-			return &command.PolicyListCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"policy-delete": func() (cli.Command, error) {
-			return &command.PolicyDeleteCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"policy-write": func() (cli.Command, error) {
-			return &command.PolicyWriteCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"read": func() (cli.Command, error) {
-			return &command.ReadCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"unwrap": func() (cli.Command, error) {
-			return &command.UnwrapCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"list": func() (cli.Command, error) {
-			return &command.ListCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"write": func() (cli.Command, error) {
-			return &command.WriteCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"delete": func() (cli.Command, error) {
-			return &command.DeleteCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"rekey": func() (cli.Command, error) {
-			return &command.RekeyCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"generate-root": func() (cli.Command, error) {
-			return &command.GenerateRootCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"renew": func() (cli.Command, error) {
-			return &command.RenewCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"revoke": func() (cli.Command, error) {
-			return &command.RevokeCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"seal": func() (cli.Command, error) {
-			return &command.SealCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"status": func() (cli.Command, error) {
-			return &command.StatusCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"unseal": func() (cli.Command, error) {
-			return &command.UnsealCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"step-down": func() (cli.Command, error) {
-			return &command.StepDownCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"mount": func() (cli.Command, error) {
-			return &command.MountCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"mounts": func() (cli.Command, error) {
-			return &command.MountsCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"mount-tune": func() (cli.Command, error) {
-			return &command.MountTuneCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"remount": func() (cli.Command, error) {
-			return &command.RemountCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"rotate": func() (cli.Command, error) {
-			return &command.RotateCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"unmount": func() (cli.Command, error) {
-			return &command.UnmountCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"token-create": func() (cli.Command, error) {
-			return &command.TokenCreateCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"token-lookup": func() (cli.Command, error) {
-			return &command.TokenLookupCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"token-renew": func() (cli.Command, error) {
-			return &command.TokenRenewCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"token-revoke": func() (cli.Command, error) {
-			return &command.TokenRevokeCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"capabilities": func() (cli.Command, error) {
-			return &command.CapabilitiesCommand{
-				Meta: *metaPtr,
-			}, nil
-		},
-
-		"version": func() (cli.Command, error) {
-			versionInfo := version.GetVersion()
-
-			return &command.VersionCommand{
-				VersionInfo: versionInfo,
-				Ui:          metaPtr.Ui,
-			}, nil
-		},
-	}
-}
diff --git a/command/commands.go b/command/commands.go
index 06a57a53d..751d66e7c 100644
--- a/command/commands.go
+++ b/command/commands.go
@@ -32,6 +32,7 @@ import (
 	auditSyslog "github.com/hashicorp/vault/builtin/audit/syslog"
 
 	credGcp "github.com/hashicorp/vault-plugin-auth-gcp/plugin"
+	credKube "github.com/hashicorp/vault-plugin-auth-kubernetes"
 	credAppId "github.com/hashicorp/vault/builtin/credential/app-id"
 	credAppRole "github.com/hashicorp/vault/builtin/credential/approle"
 	credAws "github.com/hashicorp/vault/builtin/credential/aws"
@@ -410,17 +411,18 @@ func init() {
 					"syslog": auditSyslog.Factory,
 				},
 				CredentialBackends: map[string]logical.Factory{
-					"app-id":   credAppId.Factory,
-					"approle":  credAppRole.Factory,
-					"aws":      credAws.Factory,
-					"cert":     credCert.Factory,
-					"gcp":      credGcp.Factory,
-					"github":   credGitHub.Factory,
-					"ldap":     credLdap.Factory,
-					"okta":     credOkta.Factory,
-					"plugin":   plugin.Factory,
-					"radius":   credRadius.Factory,
-					"userpass": credUserpass.Factory,
+					"app-id":     credAppId.Factory,
+					"approle":    credAppRole.Factory,
+					"aws":        credAws.Factory,
+					"cert":       credCert.Factory,
+					"gcp":        credGcp.Factory,
+					"github":     credGitHub.Factory,
+					"kubernetes": credKube.Factory,
+					"ldap":       credLdap.Factory,
+					"okta":       credOkta.Factory,
+					"plugin":     plugin.Factory,
+					"radius":     credRadius.Factory,
+					"userpass":   credUserpass.Factory,
 				},
 				LogicalBackends: map[string]logical.Factory{
 					"aws":        aws.Factory,
diff --git a/command/remount.go b/command/remount.go
deleted file mode 100644
index 999e5ac3a..000000000
--- a/command/remount.go
+++ /dev/null
@@ -1,116 +0,0 @@
-package command
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/hashicorp/vault-enterprise/meta"
-	"github.com/mitchellh/cli"
-	"github.com/posener/complete"
-)
-
-// Ensure we are implementing the right interfaces.
-var _ cli.Command = (*RemountCommand)(nil)
-var _ cli.CommandAutocomplete = (*RemountCommand)(nil)
-
-// RemountCommand is a Command that remounts a mounted secret backend
-// to a new endpoint.
-type RemountCommand struct {
-	*BaseCommand
-}
-
-func (c *RemountCommand) Synopsis() string {
-	return "Remounts a secret backend to a new path"
-}
-
-func (c *RemountCommand) Help() string {
-	helpText := `
-Usage: vault remount [options] SOURCE DESTINATION
-
-  Remounts an existing secret backend to a new path. Any leases from the old
-  backend are revoked, but the data associated with the backend (such as
-  configuration), is preserved.
-
-  Move the existing mount at secret/ to generic/:
-
-      $ vault remount secret/ generic/
-
-  For a full list of examples, please see the documentation.
-
-` + c.Flags().Help()
-
-	return strings.TrimSpace(helpText)
-}
-
-func (c *RemountCommand) Flags() *FlagSets {
-	return c.flagSet(FlagSetHTTP)
-}
-
-func (c *RemountCommand) AutocompleteArgs() complete.Predictor {
-	return c.PredictVaultMounts()
-}
-
-func (c *RemountCommand) AutocompleteFlags() complete.Flags {
-	return c.Flags().Completions()
-}
-
-func (c *RemountCommand) Run(args []string) int {
-	f := c.Flags()
-
-	if err := f.Parse(args); err != nil {
-		c.UI.Error(err.Error())
-		return 1
-	}
-
-	args = f.Args()
-	switch len(args) {
-	case 0, 1:
-		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 2, got %d)", len(args)))
-		return 1
-	case 2:
-	default:
-		c.UI.Error(fmt.Sprintf("Too many arguments (expected 2, got %d)", len(args)))
-		return 1
-	}
-
-	// Grab the source and destination
-	source := ensureTrailingSlash(args[0])
-	destination := ensureTrailingSlash(args[1])
-
-	client, err := c.Client()
-	if err != nil {
-		c.UI.Error(err.Error())
-		return 2
-	}
-
-	if err := client.Sys().Remount(source, destination); err != nil {
-		c.UI.Error(fmt.Sprintf("Error remounting %s to %s: %s", source, destination, err))
-		return 2
-	}
-
-	c.UI.Output(fmt.Sprintf("Success! Remounted %s to: %s", source, destination))
-	return 0
-}
-
-func (c *RemountCommand) Synopsis() string {
-	return "Remount a secret backend to a new path"
-}
-
-func (c *RemountCommand) Help() string {
-	helpText := `
-Usage: vault remount [options] from to
-
-  Remount a mounted secret backend to a new path.
-
-  This command remounts a secret backend that is already mounted to
-  a new path. All the secrets from the old path will be revoked, but
-  the data associated with the backend (such as configuration), will
-  be preserved.
-
-  Example: vault remount secret/ kv/
-
-General Options:
-` + meta.GeneralOptionsUsage()
-
-	return strings.TrimSpace(helpText)
-}
diff --git a/command/server.go b/command/server.go
index 0160776dc..180a2fae6 100644
--- a/command/server.go
+++ b/command/server.go
@@ -8,14 +8,12 @@ import (
 	"net/http"
 	"net/url"
 	"os"
-	"os/signal"
 	"path/filepath"
 	"runtime"
 	"sort"
 	"strconv"
 	"strings"
 	"sync"
-	"syscall"
 	"time"
 
 	"golang.org/x/net/http2"
@@ -84,6 +82,8 @@ type ServerCommand struct {
 
 	flagDevPluginDir     string
 	flagDevHA            bool
+	flagDevLatency       int
+	flagDevLatencyJitter int
 	flagDevTransactional bool
 	flagDevLeasedKV      bool
 	flagDevThreeNode     bool
@@ -204,8 +204,20 @@ func (c *ServerCommand) Flags() *FlagSets {
 		Hidden:  true,
 	})
 
+	f.IntVar(&IntVar{
+		Name:   "dev-latency",
+		Target: &c.flagDevLatency,
+		Hidden: true,
+	})
+
+	f.IntVar(&IntVar{
+		Name:   "dev-latency-jitter",
+		Target: &c.flagDevLatencyJitter,
+		Hidden: true,
+	})
+
 	f.BoolVar(&BoolVar{
-		Name:    "dev-leased-generic",
+		Name:    "dev-leased-kv",
 		Target:  &c.flagDevLeasedKV,
 		Default: false,
 		Hidden:  true,
@@ -442,12 +454,12 @@ func (c *ServerCommand) Run(args []string) int {
 		if devPluginDir != "" {
 			coreConfig.PluginDirectory = devPluginDir
 		}
-		if devLatency > 0 {
-			injectLatency := time.Duration(devLatency) * time.Millisecond
+		if c.flagDevLatency > 0 {
+			injectLatency := time.Duration(c.flagDevLatency) * time.Millisecond
 			if _, txnOK := backend.(physical.Transactional); txnOK {
-				coreConfig.Physical = physical.NewTransactionalLatencyInjector(backend, injectLatency, devLatencyJitter, c.logger)
+				coreConfig.Physical = physical.NewTransactionalLatencyInjector(backend, injectLatency, c.flagDevLatencyJitter, c.logger)
 			} else {
-				coreConfig.Physical = physical.NewLatencyInjector(backend, injectLatency, devLatencyJitter, c.logger)
+				coreConfig.Physical = physical.NewLatencyInjector(backend, injectLatency, c.flagDevLatencyJitter, c.logger)
 			}
 		}
 	}
@@ -859,13 +871,13 @@ CLUSTER_SYNTHESIS_COMPLETE:
 
 	// Write out the PID to the file now that server has successfully started
 	if err := c.storePidFile(config.PidFile); err != nil {
-		c.Ui.Output(fmt.Sprintf("Error storing PID: %v", err))
+		c.UI.Error(fmt.Sprintf("Error storing PID: %s", err))
 		return 1
 	}
 
 	defer func() {
 		if err := c.removePidFile(config.PidFile); err != nil {
-			c.Ui.Output(fmt.Sprintf("Error deleting the PID file: %v", err))
+			c.UI.Error(fmt.Sprintf("Error deleting the PID file: %s", err))
 		}
 	}()
 
@@ -1456,6 +1468,8 @@ func (c *ServerCommand) AutocompleteFlags() complete.Flags {
 		"-dev-listen-address": complete.PredictNothing,
 		"-log-level":          complete.PredictSet("trace", "debug", "info", "warn", "err"),
 	}
+
+	return reloadErrors.ErrorOrNil()
 }
 
 // storePidFile is used to write out our PID to a file if necessary
@@ -1489,38 +1503,6 @@ func (c *ServerCommand) removePidFile(pidPath string) error {
 	return os.Remove(pidPath)
 }
 
-// MakeShutdownCh returns a channel that can be used for shutdown
-// notifications for commands. This channel will send a message for every
-// SIGINT or SIGTERM received.
-func MakeShutdownCh() chan struct{} {
-	resultCh := make(chan struct{})
-
-	shutdownCh := make(chan os.Signal, 4)
-	signal.Notify(shutdownCh, os.Interrupt, syscall.SIGTERM)
-	go func() {
-		<-shutdownCh
-		close(resultCh)
-	}()
-	return resultCh
-}
-
-// MakeSighupCh returns a channel that can be used for SIGHUP
-// reloading. This channel will send a message for every
-// SIGHUP received.
-func MakeSighupCh() chan struct{} {
-	resultCh := make(chan struct{})
-
-	signalCh := make(chan os.Signal, 4)
-	signal.Notify(signalCh, syscall.SIGHUP)
-	go func() {
-		for {
-			<-signalCh
-			resultCh <- struct{}{}
-		}
-	}()
-	return resultCh
-}
-
 type grpclogFaker struct {
 	logger log.Logger
 	log    bool
diff --git a/website/source/_ember_steps.html.erb b/website/source/_ember_steps.html.erb
index c28a008e8..7980f25c1 100644
--- a/website/source/_ember_steps.html.erb
+++ b/website/source/_ember_steps.html.erb
@@ -95,7 +95,7 @@
 <script type="text/x-handlebars" data-template-name="secrets">
     <p>
         Now that Vault has been set-up, we can start reading and writing secrets
-        with the default mounted secret backend. Secrets written to Vault
+        with the default enabled secrets engine. Secrets written to Vault
         are encrypted and then written to the backend storage.
         The backend storage mechanism never sees the unencrypted
         value and doesn't have the means necessary to decrypt
diff --git a/website/source/api/secret/aws/index.html.md b/website/source/api/secret/aws/index.html.md
index 85f33fbee..2023fd203 100644
--- a/website/source/api/secret/aws/index.html.md
+++ b/website/source/api/secret/aws/index.html.md
@@ -1,19 +1,19 @@
 ---
 layout: "api"
-page_title: "AWS Secret Backend - HTTP API"
+page_title: "AWS - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-aws"
 description: |-
-  This is the API documentation for the Vault AWS secret backend.
+  This is the API documentation for the Vault AWS secrets engine.
 ---
 
-# AWS Secret Backend HTTP API
+# AWS Secrets Engine (API)
 
-This is the API documentation for the Vault AWS secret backend. For general
-information about the usage and operation of the AWS backend, please see the
-[Vault AWS backend documentation](/docs/secrets/aws/index.html).
+This is the API documentation for the Vault AWS secrets engine. For general
+information about the usage and operation of the AWS secrets engine, please see
+the [Vault AWS documentation](/docs/secrets/aws/index.html).
 
-This documentation assumes the AWS backend is mounted at the `/aws` path in
-Vault. Since it is possible to mount secret backends at any location, please
+This documentation assumes the AWS secrets engine is enabled at the `/aws` path
+in Vault. Since it is possible to enable secrets engines at any location, please
 update your API calls accordingly.
 
 ## Configure Root IAM Credentials
@@ -74,7 +74,7 @@ $ curl \
 
 ## Configure Lease
 
-This endpoint configures lease settings for the AWS secret backend. It is
+This endpoint configures lease settings for the AWS secrets engine. It is
 optional, as there are default values for `lease` and `lease_max`.
 
 | Method   | Path                         | Produces               |
@@ -111,7 +111,7 @@ $ curl \
 
 ## Read Lease
 
-This endpoint returns the current lease settings for the AWS secret backend.
+This endpoint returns the current lease settings for the AWS secrets engine.
 
 | Method   | Path                         | Produces               |
 | :------- | :--------------------------- | :--------------------- |
@@ -231,7 +231,7 @@ For an ARN:
 
 ## List Roles
 
-This endpoint lists all existing roles in the backend.
+This endpoint lists all existing roles in the secrets engine.
 
 | Method   | Path                         | Produces               |
 | :------- | :--------------------------- | :--------------------- |
diff --git a/website/source/api/secret/cassandra/index.html.md b/website/source/api/secret/cassandra/index.html.md
index 5bfabb5df..3e28e5b1c 100644
--- a/website/source/api/secret/cassandra/index.html.md
+++ b/website/source/api/secret/cassandra/index.html.md
@@ -1,25 +1,25 @@
 ---
 layout: "api"
-page_title: "Cassandra Secret Backend - HTTP API"
+page_title: "Cassandra - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-cassandra"
 description: |-
-  This is the API documentation for the Vault Cassandra secret backend.
+  This is the API documentation for the Vault Cassandra secrets engine.
 ---
 
-# Cassandra Secret Backend HTTP API
+# Cassandra Secrets Engine (API)
 
 ~> **Deprecation Note:** This backend is deprecated in favor of the
 combined databases backend added in v0.7.1. See the API documentation for
 the new implementation of this backend at
-[Cassandra Database Plugin HTTP API](/api/secret/databases/cassandra.html).
+[Cassandra database plugin HTTP API](/api/secret/databases/cassandra.html).
 
-This is the API documentation for the Vault Cassandra secret backend. For
+This is the API documentation for the Vault Cassandra secrets engine. For
 general information about the usage and operation of the Cassandra backend,
 please see the
 [Vault Cassandra backend documentation](/docs/secrets/cassandra/index.html).
 
 This documentation assumes the Cassandra backend is mounted at the `/cassandra`
-path in Vault. Since it is possible to mount secret backends at any location,
+path in Vault. Since it is possible to mount secrets engines at any location,
 please update your API calls accordingly.
 
 ## Configure Connection
diff --git a/website/source/api/secret/consul/index.html.md b/website/source/api/secret/consul/index.html.md
index 9c303be6f..d3c6bbc6c 100644
--- a/website/source/api/secret/consul/index.html.md
+++ b/website/source/api/secret/consul/index.html.md
@@ -1,20 +1,20 @@
 ---
 layout: "api"
-page_title: "Consul Secret Backend - HTTP API"
+page_title: "Consul - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-consul"
 description: |-
-  This is the API documentation for the Vault Consul secret backend.
+  This is the API documentation for the Vault Consul secrets engine.
 ---
 
-# Consul Secret Backend HTTP API
+# Consul Secrets Engine (API)
 
-This is the API documentation for the Vault Consul secret backend. For general
-information about the usage and operation of the Consul backend, please see the
-[Vault Consul backend documentation](/docs/secrets/consul/index.html).
+This is the API documentation for the Vault Consul secrets engine. For general
+information about the usage and operation of the Consul secrets engine, please
+see the [Vault Consul documentation](/docs/secrets/consul/index.html).
 
-This documentation assumes the Consul backend is mounted at the `/consul` path
-in Vault. Since it is possible to mount secret backends at any location, please
-update your API calls accordingly.
+This documentation assumes the Consul secrets engine is enabled at the `/consul`
+path in Vault. Since it is possible to enable secrets engines at any location,
+please update your API calls accordingly.
 
 ## Configure Access
 
@@ -147,7 +147,7 @@ $ curl \
 
 ## List Roles
 
-This endpoint lists all existing roles in the backend.
+This endpoint lists all existing roles in the secrets engine.
 
 | Method   | Path                         | Produces               |
 | :------- | :--------------------------- | :--------------------- |
diff --git a/website/source/api/secret/cubbyhole/index.html.md b/website/source/api/secret/cubbyhole/index.html.md
index 02b9a6387..ee86fe04f 100644
--- a/website/source/api/secret/cubbyhole/index.html.md
+++ b/website/source/api/secret/cubbyhole/index.html.md
@@ -1,21 +1,21 @@
 ---
 layout: "api"
-page_title: "Cubbyhole Secret Backend - HTTP API"
+page_title: "Cubbyhole - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-cubbyhole"
 description: |-
-  This is the API documentation for the Vault Cubbyhole secret backend.
+  This is the API documentation for the Vault Cubbyhole secrets engine.
 ---
 
-# Cubbyhole Secret Backend HTTP API
+# Cubbyhole Secrets Engine (API)
 
-This is the API documentation for the Vault Cubbyhole secret backend. For
-general information about the usage and operation of the Cubbyhole backend,
-please see the
-[Vault Cubbyhole backend documentation](/docs/secrets/cubbyhole/index.html).
+This is the API documentation for the Vault Cubbyhole secrets engine. For
+general information about the usage and operation of the Cubbyhole secrets
+engine, please see the
+[Vault Cubbyhole documentation](/docs/secrets/cubbyhole/index.html).
 
-This documentation assumes the Cubbyhole backend is mounted at the `/cubbyhole`
-path in Vault. Since it is possible to mount secret backends at any location,
-please update your API calls accordingly.
+This documentation assumes the Cubbyhole secrets engine is enabled at the
+`/cubbyhole` path in Vault. Since it is possible to enable secrets engines at
+any location, please update your API calls accordingly.
 
 ## Read Secret
 
diff --git a/website/source/api/secret/databases/cassandra.html.md b/website/source/api/secret/databases/cassandra.html.md
index 5b60b2763..ddf4b7f6d 100644
--- a/website/source/api/secret/databases/cassandra.html.md
+++ b/website/source/api/secret/databases/cassandra.html.md
@@ -1,21 +1,21 @@
 ---
 layout: "api"
-page_title: "Cassandra Database Plugin - HTTP API"
+page_title: "Cassandra - Database - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-databases-cassandra"
 description: |-
-  The Cassandra plugin for Vault's Database backend generates database credentials to access Cassandra servers.
+  The Cassandra plugin for Vault's database secrets engine generates database credentials to access Cassandra servers.
 ---
 
 # Cassandra Database Plugin HTTP API
 
-The Cassandra Database Plugin is one of the supported plugins for the Database
-backend. This plugin generates database credentials dynamically based on
+The Cassandra database plugin is one of the supported plugins for the database
+secrets engine. This plugin generates database credentials dynamically based on
 configured roles for the Cassandra database.
 
 ## Configure Connection
 
 In addition to the parameters defined by the [Database
-Backend](/api/secret/databases/index.html#configure-connection), this plugin
+Secrets Engine](/api/secret/databases/index.html#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method   | Path                         | Produces               |
@@ -48,7 +48,7 @@ has a number of parameters to further configure a connection.
 - `pem_json` `(string: "")` – Specifies JSON containing a certificate and
   private key; a certificate, private key, and issuing CA certificate; or just a
   CA certificate. For convenience format is the same as the output of the
-  `issue` command from the `pki` backend; see
+  `issue` command from the `pki` secrets engine; see
   [the pki documentation](/docs/secrets/pki/index.html).
 
 - `protocol_version` `(int: 2)` – Specifies the CQL protocol version to use.
@@ -74,7 +74,7 @@ TLS works as follows:
 `pem_bundle` should be a PEM-concatenated bundle of a private key + client
 certificate, an issuing CA certificate, or both. `pem_json` should contain the
 same information; for convenience, the JSON format is the same as that output by
-the issue command from the PKI backend.
+the issue command from the PKI secrets engine.
 
 ### Sample Payload
 
@@ -103,7 +103,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the datatabse on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api/secret/databases/index.html#create-role) in the Database Backend docs.
+API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
 
 ### Parameters
 
@@ -129,4 +129,4 @@ list the plugin does not support that statement type.
   semicolon-separated string, a base64-encoded semicolon-separated string, a
   serialized JSON string array, or a base64-encoded serialized JSON string
   array. The '{{name}}' value will be substituted. If not provided, defaults to
-  a generic drop user statement 
+  a generic drop user statement
diff --git a/website/source/api/secret/databases/hanadb.html.md b/website/source/api/secret/databases/hanadb.html.md
index e10881551..51dfd856d 100644
--- a/website/source/api/secret/databases/hanadb.html.md
+++ b/website/source/api/secret/databases/hanadb.html.md
@@ -1,21 +1,21 @@
 ---
 layout: "api"
-page_title: "HANA Database Plugin - HTTP API"
+page_title: "HANA - Database - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-databases-hana"
 description: |-
-  The HANA plugin for Vault's Database backend generates database credentials to access HANA servers.
+  The HANA plugin for Vault's database secrets engine generates database credentials to access HANA servers.
 ---
 
 # HANA Database Plugin HTTP API
 
-The HANA Database Plugin is one of the supported plugins for the Database
-backend. This plugin generates database credentials dynamically based on
+The HANA database plugin is one of the supported plugins for the database
+secrets engine. This plugin generates database credentials dynamically based on
 configured roles for the HANA database.
 
 ## Configure Connection
 
-In addition to the parameters defined by the [Database
-Backend](/api/secret/databases/index.html#configure-connection), this plugin
+In addition to the parameters defined by the [database
+secrets engine](/api/secret/databases/index.html#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method   | Path                         | Produces               |
@@ -63,7 +63,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the datatabse on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api/secret/databases/index.html#create-role) in the Database Backend docs.
+API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
 
 ### Parameters
 
diff --git a/website/source/api/secret/databases/index.html.md b/website/source/api/secret/databases/index.html.md
index ffbf41d1c..44995b771 100644
--- a/website/source/api/secret/databases/index.html.md
+++ b/website/source/api/secret/databases/index.html.md
@@ -1,21 +1,21 @@
 ---
 layout: "api"
-page_title: "Databases - HTTP API"
+page_title: "Database - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-databases"
 description: |-
-  Top page for database secret backend information
+  Top page for database secrets engine information
 ---
 
-# Database Secret Backend HTTP API
+# Database Secrets Engine (API)
 
-This is the API documentation for the Vault Database secret backend. For
-general information about the usage and operation of the Database backend,
+This is the API documentation for the Vault Database secrets engine. For
+general information about the usage and operation of the database secrets engine,
 please see the
-[Vault Database backend documentation](/docs/secrets/databases/index.html).
+[Vault database secrets engine documentation](/docs/secrets/databases/index.html).
 
-This documentation assumes the Database backend is mounted at the
-`/database` path in Vault. Since it is possible to mount secret backends at
-any location, please update your API calls accordingly.
+This documentation assumes the database secrets engine is enabled at the
+`/database` path in Vault. Since it is possible to enable secrets engines at any
+location, please update your API calls accordingly.
 
 ## Configure Connection
 
@@ -164,11 +164,11 @@ This endpoint creates or updates a role definition.
 
 - `default_ttl` `(string/int: 0)` - Specifies the TTL for the leases
   associated with this role. Accepts time suffixed strings ("1h") or an integer
-  number of seconds. Defaults to system/backend default TTL time.
+  number of seconds. Defaults to system/engine default TTL time.
 
 - `max_ttl` `(string/int: 0)` - Specifies the maximum TTL for the leases
   associated with this role. Accepts time suffixed strings ("1h") or an integer
-  number of seconds. Defaults to system/backend default TTL time.
+  number of seconds. Defaults to system/engine default TTL time.
 
 - `creation_statements` `(string: <required>)` – Specifies the database
   statements executed to create and configure a user. See the plugin's API page
diff --git a/website/source/api/secret/databases/mongodb.html.md b/website/source/api/secret/databases/mongodb.html.md
index 48a8ae2c4..d98a1804d 100644
--- a/website/source/api/secret/databases/mongodb.html.md
+++ b/website/source/api/secret/databases/mongodb.html.md
@@ -1,15 +1,15 @@
 ---
 layout: "api"
-page_title: "MongoDB Database Plugin - HTTP API"
+page_title: "MongoDB - Database - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-databases-mongodb"
 description: |-
-  The MongoDB plugin for Vault's Database backend generates database credentials to access MongoDB servers.
+  The MongoDB plugin for Vault's database secrets engine generates database credentials to access MongoDB servers.
 ---
 
 # MongoDB Database Plugin HTTP API
 
-The MongoDB Database Plugin is one of the supported plugins for the Database
-backend. This plugin generates database credentials dynamically based on
+The MongoDB database plugin is one of the supported plugins for the database
+secrets engine. This plugin generates database credentials dynamically based on
 configured roles for the MongoDB database.
 
 ## Configure Connection
@@ -50,7 +50,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the datatabse on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api/secret/databases/index.html#create-role) in the Database Backend docs.
+API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
 
 ### Parameters
 
@@ -59,7 +59,7 @@ list the plugin does not support that statement type.
 
 - `creation_statements` `(string: <required>)` – Specifies the database
   statements executed to create and configure a user. Must be a
-  serialized JSON object, or a base64-encoded serialized JSON object. 
+  serialized JSON object, or a base64-encoded serialized JSON object.
   The object can optionally contain a "db" string for session connection,
   and must contain a "roles" array. This array contains objects that holds
   a "role", and an optional "db" value, and is similar to the BSON document that
@@ -68,7 +68,7 @@ list the plugin does not support that statement type.
   [MongoDB's documentation](https://docs.mongodb.com/manual/reference/method/db.createUser/).
 
 - `revocation_statements` `(string: "")` – Specifies the database statements to
-  be executed to revoke a user. Must be a serialized JSON object, or a base64-encoded 
+  be executed to revoke a user. Must be a serialized JSON object, or a base64-encoded
   serialized JSON object. The object can optionally contain a "db" string. If no
   "db" value is provided, it defaults to the "admin" database.
 
@@ -84,4 +84,4 @@ list the plugin does not support that statement type.
     }
   ]
 }
-```
\ No newline at end of file
+```
diff --git a/website/source/api/secret/databases/mssql.html.md b/website/source/api/secret/databases/mssql.html.md
index 42d75462b..15c16b3c0 100644
--- a/website/source/api/secret/databases/mssql.html.md
+++ b/website/source/api/secret/databases/mssql.html.md
@@ -1,15 +1,15 @@
 ---
 layout: "api"
-page_title: "MSSQL Database Plugin - HTTP API"
+page_title: "MSSQL - Database - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-databases-mssql"
 description: |-
-  The MSSQL plugin for Vault's Database backend generates database credentials to access MSSQL servers.
+  The MSSQL plugin for Vault's database secrets engine generates database credentials to access MSSQL servers.
 ---
 
 # MSSQL Database Plugin HTTP API
 
-The MSSQL Database Plugin is one of the supported plugins for the Database
-backend. This plugin generates database credentials dynamically based on
+The MSSQL database plugin is one of the supported plugins for the database
+secrets engine. This plugin generates database credentials dynamically based on
 configured roles for the MSSQL database.
 
 ## Configure Connection
@@ -63,7 +63,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the datatabse on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api/secret/databases/index.html#create-role) in the Database Backend docs.
+API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
 
 ### Parameters
 
diff --git a/website/source/api/secret/databases/mysql-maria.html.md b/website/source/api/secret/databases/mysql-maria.html.md
index 0a64ab48b..f39d9be13 100644
--- a/website/source/api/secret/databases/mysql-maria.html.md
+++ b/website/source/api/secret/databases/mysql-maria.html.md
@@ -1,15 +1,15 @@
 ---
 layout: "api"
-page_title: "MySQL/MariaDB Database Plugin - HTTP API"
+page_title: "MySQL/MariaDB - Database - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-databases-mysql-maria"
 description: |-
-  The MySQL/MariaDB plugin for Vault's Database backend generates database credentials to access MySQL and MariaDB servers.
+  The MySQL/MariaDB plugin for Vault's database secrets engine generates database credentials to access MySQL and MariaDB servers.
 ---
 
 # MySQL/MariaDB Database Plugin HTTP API
 
-The MySQL Database Plugin is one of the supported plugins for the Database
-backend. This plugin generates database credentials dynamically based on
+The MySQL database plugin is one of the supported plugins for the database
+secrets engine. This plugin generates database credentials dynamically based on
 configured roles for the MySQL database.
 
 ## Configure Connection
@@ -63,7 +63,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the datatabse on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api/secret/databases/index.html#create-role) in the Database Backend docs.
+API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
 
 ### Parameters
 
diff --git a/website/source/api/secret/databases/oracle.html.md b/website/source/api/secret/databases/oracle.html.md
index 5a6f5433a..31938f0cb 100644
--- a/website/source/api/secret/databases/oracle.html.md
+++ b/website/source/api/secret/databases/oracle.html.md
@@ -1,15 +1,15 @@
 ---
 layout: "api"
-page_title: "Oracle Database Plugin - HTTP API"
+page_title: "Oracle - Database - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-databases-oracle-maria"
 description: |-
-  The Oracle plugin for Vault's Database backend generates database credentials to access Oracle servers.
+  The Oracle plugin for Vault's database secrets engine generates database credentials to access Oracle servers.
 ---
 
 # Oracle Database Plugin HTTP API
 
-The Oracle Database Plugin is one of the supported plugins for the Database
-backend. This plugin generates database credentials dynamically based on
+The Oracle database plugin is one of the supported plugins for the database
+secrets engine. This plugin generates database credentials dynamically based on
 configured roles for the Oracle database.
 
 ## Configure Connection
@@ -63,7 +63,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the datatabse on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api/secret/databases/index.html#create-role) in the Database Backend docs.
+API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
 
 ### Parameters
 
diff --git a/website/source/api/secret/databases/postgresql.html.md b/website/source/api/secret/databases/postgresql.html.md
index bb58a523f..5164bf558 100644
--- a/website/source/api/secret/databases/postgresql.html.md
+++ b/website/source/api/secret/databases/postgresql.html.md
@@ -1,15 +1,15 @@
 ---
 layout: "api"
-page_title: "PostgreSQL Database Plugin - HTTP API"
+page_title: "PostgreSQL - Database - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-databases-postgresql"
 description: |-
-  The PostgreSQL plugin for Vault's Database backend generates database credentials to access PostgreSQL servers.
+  The PostgreSQL plugin for Vault's database secrets engine generates database credentials to access PostgreSQL servers.
 ---
 
 # PostgreSQL Database Plugin HTTP API
 
-The PostgreSQL Database Plugin is one of the supported plugins for the Database
-backend. This plugin generates database credentials dynamically based on
+The PostgreSQL database plugin is one of the supported plugins for the database
+secrets engine. This plugin generates database credentials dynamically based on
 configured roles for the PostgreSQL database.
 
 ## Configure Connection
@@ -63,7 +63,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the datatabse on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api/secret/databases/index.html#create-role) in the Database Backend docs.
+API](/api/secret/databases/index.html#create-role) in the database secrets engine docs.
 
 ### Parameters
 
diff --git a/website/source/api/secret/identity/index.html.md b/website/source/api/secret/identity/index.html.md
index 4c3edd0b8..6578b2753 100644
--- a/website/source/api/secret/identity/index.html.md
+++ b/website/source/api/secret/identity/index.html.md
@@ -1,17 +1,16 @@
 ---
 layout: "api"
-page_title: "Identity Secret Backend - HTTP API"
+page_title: "Identity - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-identity"
 description: |-
-  This is the API documentation for the Vault Identity secret backend.
+  This is the API documentation for the Vault Identity secrets engine.
 ---
 
-# Identity Secret Backend HTTP API
+# Identity Secrets Engine (API)
 
-This is the API documentation for the Vault Identity secret backend. For
-general information about the usage and operation of the Identity backend,
-please see the
-[Vault Identity backend documentation](/docs/secrets/identity/index.html).
+This is the API documentation for the Vault Identity secrets engine. For general
+information about the usage and operation of the Identity secrets engine, please
+see the [Vault Identity documentation](/docs/secrets/identity/index.html).
 
 ## Register Entity
 
@@ -219,11 +218,11 @@ given identifier.
 
 ### Parameters
 
-- `name` (string: Required) - Name of the persona. Name should be the
-  identifier of the client in the authentication source. For example, if the
-  persona belongs to userpass backend, the name should be a valid username
-  within userpass backend. If persona belongs to GitHub, it should be the
-  GitHub username.
+- `name` (string: Required) - Name of the persona. Name should be the identifier
+  of the client in the authentication source. For example, if the persona
+  belongs to userpass auth method, the name should be a valid username within
+  userpass auth method. If persona belongs to GitHub, it should be the GitHub
+  username.
 
 - `entity_id` (string: required) - Entity ID to which this persona belongs to.
 
@@ -319,8 +318,8 @@ This endpoint is used to update an existing persona.
 
 - `name` (string: Required) - Name of the persona. Name should be the
   identifier of the client in the authentication source. For example, if the
-  persona belongs to userpass backend, the name should be a valid username
-  within userpass backend. If persona belongs to GitHub, it should be the
+  persona belongs to userpass auth method, the name should be a valid username
+  within userpass auth method. If persona belongs to GitHub, it should be the
   GitHub username.
 
 - `entity_id` (string: required) - Entity ID to which this persona belongs to.
diff --git a/website/source/api/secret/index.html.md b/website/source/api/secret/index.html.md
index 2912451b5..3398185b8 100644
--- a/website/source/api/secret/index.html.md
+++ b/website/source/api/secret/index.html.md
@@ -1,19 +1,18 @@
 ---
 layout: "api"
-page_title: "HTTP API"
+page_title: "Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret"
 description: |-
-  Each secret backend publishes its own set of API paths and methods. These
+  Each secrets engine publishes its own set of API paths and methods. These
   endpoints are documented in this section.
 ---
 
-# Secret Backends
+# Secrets Engines
 
-Each secret backend publishes its own set of API paths and methods. These
-endpoints are documented in this section. Secret backends are mounted at a path,
-but the documentation will assume the default mount points for simplicity. If
-you are mounting at a different path, you should adjust your API calls
-accordingly.
+Each secrets engine publishes its own set of API paths and methods. These
+endpoints are documented in this section. secrets engines are enabled at a path,
+but the documentation will assume the default paths for simplicity. If you are
+enabled at a different path, you should adjust your API calls accordingly.
 
-For the API documentation for a specific secret backend, please choose a secret
-backend from the navigation.
+For the API documentation for a specific secrets engine, please choose a secrets
+engine from the navigation.
diff --git a/website/source/api/secret/kv/index.html.md b/website/source/api/secret/kv/index.html.md
index 2b2ab8610..5042b8c50 100644
--- a/website/source/api/secret/kv/index.html.md
+++ b/website/source/api/secret/kv/index.html.md
@@ -1,20 +1,20 @@
 ---
 layout: "api"
-page_title: "Key/Value Secret Backend - HTTP API"
+page_title: "KV - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-kv"
 description: |-
-  This is the API documentation for the Vault Key/Value secret backend.
+  This is the API documentation for the Vault KV secrets engine.
 ---
 
-# Key/Value Secret Backend HTTP API
+# KV Secrets Engine (API)
 
-This is the API documentation for the Vault Key/Value secret backend. For general
-information about the usage and operation of the Key/Value backend, please see
-the [Vault Key/Value backend documentation](/docs/secrets/kv/index.html).
+This is the API documentation for the Vault KV secrets engine. For general
+information about the usage and operation of the kv secrets engine, please
+see the [Vault kv documentation](/docs/secrets/kv/index.html).
 
-This documentation assumes the Key/Value backend is mounted at the `/secret`
-path in Vault. Since it is possible to mount secret backends at any location,
-please update your API calls accordingly.
+This documentation assumes the kv secrets engine is enabled at the
+`/secret` path in Vault. Since it is possible to enable secrets engines at any
+location, please update your API calls accordingly.
 
 ## Read Secret
 
@@ -53,9 +53,9 @@ $ curl \
 
 _Note_: the `lease_duration` field (which on the CLI shows as
 `refresh_interval`) is advisory. No lease is created. This is a way for writers
-to indicate how often a given value shold be re-read by the client. See the
-[Vault Key/Value backend documentation](/docs/secrets/kv/index.html) for
-more details.
+to indicate how often a given value should be re-read by the client. See the
+[Vault KV secrets engine documentation](/docs/secrets/kv/index.html)
+for more details.
 
 ## List Secrets
 
@@ -121,7 +121,7 @@ policy granting the `update` capability.
 - `:key` `(string: "")` – Specifies a key, paired with an associated value, to
   be held at the given location. Multiple key/value pairs can be specified, and
   all will be returned on a read operation. A key called `ttl` will trigger
-  some special behavior; see the [Vault Key/Value backend
+  some special behavior. See the [Vault KV secrets engine
   documentation](/docs/secrets/kv/index.html) for details.
 
 ### Sample Payload
diff --git a/website/source/api/secret/mongodb/index.html.md b/website/source/api/secret/mongodb/index.html.md
index 763027e15..a4637e9ec 100644
--- a/website/source/api/secret/mongodb/index.html.md
+++ b/website/source/api/secret/mongodb/index.html.md
@@ -1,25 +1,26 @@
 ---
 layout: "api"
-page_title: "MongoDB Secret Backend - HTTP API"
+page_title: "MongoDB - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-mongodb"
 description: |-
-  This is the API documentation for the Vault MongoDB secret backend.
+  This is the API documentation for the Vault MongoDB secrets engine.
 ---
 
-# MongoDB Secret Backend HTTP API
+# MongoDB Secrets Engine (API)
 
-~> **Deprecation Note:** This backend is deprecated in favor of the
-combined databases backend added in v0.7.1. See the API documentation for
-the new implementation of this backend at
-[MongoDB Database Plugin HTTP API](/api/secret/databases/mongodb.html).
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the API documentation for
+the new implementation of this secrets engine at
+[MongoDB database plugin HTTP API](/api/secret/databases/mongodb.html).
 
-This is the API documentation for the Vault MongoDB secret backend. For general
-information about the usage and operation of the MongoDB backend, please see
-the [Vault MongoDB backend documentation](/docs/secrets/mongodb/index.html).
+This is the API documentation for the Vault MongoDB secrets engine. For general
+information about the usage and operation of the MongoDB secrets engine, please
+see the
+[Vault MongoDB secrets engine documentation](/docs/secrets/mongodb/index.html).
 
-This documentation assumes the MongoDB backend is mounted at the `/mongodb`
-path in Vault. Since it is possible to mount secret backends at any location,
-please update your API calls accordingly.
+This documentation assumes the MongoDB secrets engine is enabled at the
+`/mongodb` path in Vault. Since it is possible to enable secrets engines at any
+location, please update your API calls accordingly.
 
 ## Configure Connection
 
@@ -109,7 +110,7 @@ $ curl \
 ## Configure Lease
 
 This endpoint configures the default lease TTL settings for credentials
-generated by the mongodb backend.
+generated by the mongodb secrets engine.
 
 | Method   | Path                         | Produces               |
 | :------- | :--------------------------- | :--------------------- |
diff --git a/website/source/api/secret/mssql/index.html.md b/website/source/api/secret/mssql/index.html.md
index a660736ee..30c17b34b 100644
--- a/website/source/api/secret/mssql/index.html.md
+++ b/website/source/api/secret/mssql/index.html.md
@@ -1,24 +1,24 @@
 ---
 layout: "api"
-page_title: "MSSQL Secret Backend - HTTP API"
+page_title: "MSSQL - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-mssql"
 description: |-
-  This is the API documentation for the Vault MSSQL secret backend.
+  This is the API documentation for the Vault MSSQL secrets engine.
 ---
 
-# MSSQL Secret Backend HTTP API
+# MSSQL Secrets Engine (API)
 
-~> **Deprecation Note:** This backend is deprecated in favor of the
-combined databases backend added in v0.7.1. See the API documentation for
-the new implementation of this backend at
-[MSSQL Database Plugin HTTP API](/api/secret/databases/mssql.html).
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the API documentation for
+the new implementation of this secrets engine at
+[MSSQL database plugin HTTP API](/api/secret/databases/mssql.html).
 
-This is the API documentation for the Vault MSSQL secret backend. For general
-information about the usage and operation of the MSSQL backend, please see
-the [Vault MSSQL backend documentation](/docs/secrets/mssql/index.html).
+This is the API documentation for the Vault MSSQL secrets engine. For general
+information about the usage and operation of the MSSQL secrets engine, please
+see the [Vault MSSQL documentation](/docs/secrets/mssql/index.html).
 
-This documentation assumes the MSSQL backend is mounted at the `/mssql`
-path in Vault. Since it is possible to mount secret backends at any location,
+This documentation assumes the MSSQL secrets engine is enabled at the `/mssql`
+path in Vault. Since it is possible to enable secrets engines at any location,
 please update your API calls accordingly.
 
 ## Configure Connection
diff --git a/website/source/api/secret/mysql/index.html.md b/website/source/api/secret/mysql/index.html.md
index baf919db5..9a7940615 100644
--- a/website/source/api/secret/mysql/index.html.md
+++ b/website/source/api/secret/mysql/index.html.md
@@ -1,24 +1,24 @@
 ---
 layout: "api"
-page_title: "MySQL Secret Backend - HTTP API"
+page_title: "MySQL - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-mysql"
 description: |-
-  This is the API documentation for the Vault MySQL secret backend.
+  This is the API documentation for the Vault MySQL secrets engine.
 ---
 
-# MySQL Secret Backend HTTP API
+# MySQL Secrets Engine (API)
 
-~> **Deprecation Note:** This backend is deprecated in favor of the
-combined databases backend added in v0.7.1. See the API documentation for
-the new implementation of this backend at
-[MySQL/MariaDB Database Plugin HTTP API](/api/secret/databases/mysql-maria.html).
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the API documentation for
+the new implementation of this secrets engine at
+[MySQL/MariaDB database plugin HTTP API](/api/secret/databases/mysql-maria.html).
 
-This is the API documentation for the Vault MySQL secret backend. For general
-information about the usage and operation of the MySQL backend, please see
-the [Vault MySQL backend documentation](/docs/secrets/mysql/index.html).
+This is the API documentation for the Vault MySQL secrets engine. For general
+information about the usage and operation of the MySQL secrets engine, please
+see the [Vault MySQL documentation](/docs/secrets/mysql/index.html).
 
-This documentation assumes the MySQL backend is mounted at the `/mysql`
-path in Vault. Since it is possible to mount secret backends at any location,
+This documentation assumes the MySQL secrets engine is enabled at the `/mysql`
+path in Vault. Since it is possible to enable secrets engines at any location,
 please update your API calls accordingly.
 
 ## Configure Connection
diff --git a/website/source/api/secret/pki/index.html.md b/website/source/api/secret/pki/index.html.md
index 40cbff273..8691eb0e7 100644
--- a/website/source/api/secret/pki/index.html.md
+++ b/website/source/api/secret/pki/index.html.md
@@ -1,19 +1,19 @@
 ---
 layout: "api"
-page_title: "PKI Secret Backend - HTTP API"
+page_title: "PKI - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-pki"
 description: |-
-  This is the API documentation for the Vault PKI secret backend.
+  This is the API documentation for the Vault PKI secrets engine.
 ---
 
-# PKI Secret Backend HTTP API
+# PKI Secrets Engine (API)
 
-This is the API documentation for the Vault PKI secret backend. For general
-information about the usage and operation of the PKI backend, please see the
-[Vault PKI backend documentation](/docs/secrets/pki/index.html).
+This is the API documentation for the Vault PKI secrets engine. For general
+information about the usage and operation of the PKI secrets engine, please see
+the [PKI documentation](/docs/secrets/pki/index.html).
 
-This documentation assumes the PKI backend is mounted at the `/pki` path in
-Vault. Since it is possible to mount secret backends at any location, please
+This documentation assumes the PKI secrets engine is enabled at the `/pki` path
+in Vault. Since it is possible to enable secrets engines at any location, please
 update your API calls accordingly.
 
 ## Table of Contents
@@ -172,10 +172,10 @@ $ curl \
 
 ## Submit CA Information
 
-This endpoint allows submitting the CA information for the backend via a PEM
-file containing the CA certificate and its private key, concatenated. Not needed
-if you are generating a self-signed root certificate, and not used if you have a
-signed intermediate CA certificate with a generated key (use the
+This endpoint allows submitting the CA information for the secrets engine via a
+PEM file containing the CA certificate and its private key, concatenated. Not
+needed if you are generating a self-signed root certificate, and not used if you
+have a signed intermediate CA certificate with a generated key (use the
 `/pki/intermediate/set-signed` endpoint for that). _If you have already set a
 certificate and key, they will be overridden._
 
@@ -893,9 +893,9 @@ As with other issued certificates, Vault will automatically revoke the
 generated root at the end of its lease period; the CA certificate will sign its
 own CRL.
 
-As of Vault 0.8.1, if a CA cert/key already exists within the backend, this
-function will return a 204 and will not overwrite it. Previous versions of
-Vault would overwrite the existing cert/key with new values.
+As of Vault 0.8.1, if a CA cert/key already exists, this function will return a
+204 and will not overwrite it. Previous versions of Vault would overwrite the
+existing cert/key with new values.
 
 | Method   | Path                         | Produces               |
 | :------- | :--------------------------- | :--------------------- |
@@ -920,8 +920,8 @@ Vault would overwrite the existing cert/key with new values.
   Names, in a comma-delimited list.
 
 - `ttl` `(string: "")` – Specifies the requested Time To Live (after which the
-  certificate will be expired). This cannot be larger than the mount max (or, if
-  not set, the system max).
+  certificate will be expired). This cannot be larger than the engine's max (or,
+  if not set, the system max).
 
 - `format` `(string: "pem")` – Specifies the format for returned data. Can be
   `pem`, `der`, or `pem_bundle`. If `der`, the output is base64 encoded. If
@@ -1033,8 +1033,8 @@ verbatim.
   Names, in a comma-delimited list.
 
 - `ttl` `(string: "")` – Specifies the requested Time To Live (after which the
-  certificate will be expired). This cannot be larger than the mount max (or, if
-  not set, the system max). However, this can be after the expiration of the
+  certificate will be expired). This cannot be larger than the engine's max (or,
+  if not set, the system max). However, this can be after the expiration of the
   signing CA.
 
 - `format` `(string: "pem")` – Specifies the format for returned data. Can be
@@ -1255,7 +1255,7 @@ have access.**
 - `csr` `(string: <required>)` – Specifies the PEM-encoded CSR.
 
 - `ttl` `(string: "")` – Specifies the requested Time To Live. Cannot be greater
-  than the mount's `max_ttl` value. If not provided, the mount's `ttl` value
+  than the engine's `max_ttl` value. If not provided, the engine's `ttl` value
   will be used, which defaults to system values if not explicitly set.
 
 - `format` `(string: "pem")` – Specifies the format for returned data. Can be
@@ -1301,7 +1301,7 @@ $ curl \
 
 ## Tidy
 
-This endpoint allows tidying up the backend storage and/or CRL by removing
+This endpoint allows tidying up the storage backend and/or CRL by removing
 certificates that have expired and are past a certain buffer period beyond their
 expiration time.
 
diff --git a/website/source/api/secret/postgresql/index.html.md b/website/source/api/secret/postgresql/index.html.md
index e81fbf0df..a6a18a6f0 100644
--- a/website/source/api/secret/postgresql/index.html.md
+++ b/website/source/api/secret/postgresql/index.html.md
@@ -1,25 +1,25 @@
 ---
 layout: "api"
-page_title: "PostgreSQL Secret Backend - HTTP API"
+page_title: "PostgreSQL - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-postgresql"
 description: |-
-  This is the API documentation for the Vault PostgreSQL secret backend.
+  This is the API documentation for the Vault PostgreSQL secrets engine.
 ---
 
-# PostgreSQL Secret Backend HTTP API
+# PostgreSQL Secrets Engine (API)
 
-~> **Deprecation Note:** This backend is deprecated in favor of the
-combined databases backend added in v0.7.1. See the API documentation for
-the new implementation of this backend at
-[PostgreSQL Database Plugin HTTP API](/api/secret/databases/postgresql.html).
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the API documentation for
+the new implementation of this secrets engine at
+[PostgreSQL database plugin HTTP API](/api/secret/databases/postgresql.html).
 
-This is the API documentation for the Vault PostgreSQL secret backend. For
-general information about the usage and operation of the PostgreSQL backend,
-please see the
-[Vault PostgreSQL backend documentation](/docs/secrets/postgresql/index.html).
+This is the API documentation for the Vault PostgreSQL secrets engine. For
+general information about the usage and operation of the PostgreSQL secrets
+engine, please see the [PostgreSQL
+documentation](/docs/secrets/postgresql/index.html).
 
-This documentation assumes the PostgreSQL backend is mounted at the
-`/postgresql` path in Vault. Since it is possible to mount secret backends at
+This documentation assumes the PostgreSQL secrets engine is enabled at the
+`/postgresql` path in Vault. Since it is possible to enable secrets engines at
 any location, please update your API calls accordingly.
 
 ## Configure Connection
diff --git a/website/source/api/secret/rabbitmq/index.html.md b/website/source/api/secret/rabbitmq/index.html.md
index e5dffb5f8..b478b27b4 100644
--- a/website/source/api/secret/rabbitmq/index.html.md
+++ b/website/source/api/secret/rabbitmq/index.html.md
@@ -1,20 +1,20 @@
 ---
 layout: "api"
-page_title: "RabbitMQ Secret Backend - HTTP API"
+page_title: "RabbitMQ - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-rabbitmq"
 description: |-
-  This is the API documentation for the Vault RabbitMQ secret backend.
+  This is the API documentation for the Vault RabbitMQ secrets engine.
 ---
 
-# RabbitMQ Secret Backend HTTP API
+# RabbitMQ Secrets Engine (API)
 
-This is the API documentation for the Vault RabbitMQ secret backend. For general
-information about the usage and operation of the RabbitMQ backend, please see
-the [Vault RabbitMQ backend documentation](/docs/secrets/rabbitmq/index.html).
+This is the API documentation for the Vault RabbitMQ secrets engine. For general
+information about the usage and operation of the RabbitMQ secrets engine, please
+see the [RabbitMQ documentation](/docs/secrets/rabbitmq/index.html).
 
-This documentation assumes the RabbitMQ backend is mounted at the `/rabbitmq`
-path in Vault. Since it is possible to mount secret backends at any location,
-please update your API calls accordingly.
+This documentation assumes the RabbitMQ secrets engine is enabled at the
+`/rabbitmq` path in Vault. Since it is possible to enable secrets engines at any
+location, please update your API calls accordingly.
 
 ## Configure Connection
 
diff --git a/website/source/api/secret/ssh/index.html.md b/website/source/api/secret/ssh/index.html.md
index d003ebf66..a35c27adb 100644
--- a/website/source/api/secret/ssh/index.html.md
+++ b/website/source/api/secret/ssh/index.html.md
@@ -1,19 +1,19 @@
 ---
 layout: "api"
-page_title: "SSH Secret Backend - HTTP API"
+page_title: "SSH - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-ssh"
 description: |-
-  This is the API documentation for the Vault SSH secret backend.
+  This is the API documentation for the Vault SSH secrets engine.
 ---
 
-# SSH Secret Backend HTTP API
+# SSH Secrets Engine (API)
 
-This is the API documentation for the Vault SSH secret backend. For general
-information about the usage and operation of the SSH backend, please see the
-[Vault SSH backend documentation](/docs/secrets/ssh/index.html).
+This is the API documentation for the Vault SSH secrets engine. For general
+information about the usage and operation of the SSH secrets engine, please see
+the [SSH documentation](/docs/secrets/ssh/index.html).
 
-This documentation assumes the SSH backend is mounted at the `/ssh` path in
-Vault. Since it is possible to mount secret backends at any location, please
+This documentation assumes the SSH secrets engine is enabled at the `/ssh` path
+in Vault. Since it is possible to enable secrets engines at any location, please
 update your API calls accordingly.
 
 ## Create/Update Key
@@ -115,7 +115,7 @@ This endpoint creates or updates a named role.
   and certain parts need to be kept out.
 
 - `port` `(int: 22)` – Specifies the port number for SSH connection. Port number
-  does not play any role in OTP generation. For the `otp` backend type, this is
+  does not play any role in OTP generation. For the `otp` secrets engine type, this is
   just a way to inform the client about the port number to use. The port number
   will be	returned to the client by Vault along with the OTP.
 
@@ -603,7 +603,7 @@ $ curl \
 
 ## Submit CA Information
 
-This endpoint allows submitting the CA information for the backend via an SSH
+This endpoint allows submitting the CA information for the secrets engine via an SSH
 key pair. _If you have already set a certificate and key, they will be
 overridden._
 
diff --git a/website/source/api/secret/totp/index.html.md b/website/source/api/secret/totp/index.html.md
index 3cc6e5b06..f89865c70 100644
--- a/website/source/api/secret/totp/index.html.md
+++ b/website/source/api/secret/totp/index.html.md
@@ -1,21 +1,20 @@
 ---
 layout: "api"
-page_title: "TOTP Secret Backend - HTTP API"
+page_title: "TOTP - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-totp"
 description: |-
-  This is the API documentation for the Vault TOTP secret backend.
+  This is the API documentation for the Vault TOTP secrets engine.
 ---
 
-# TOTP Secret Backend HTTP API
+# TOTP Secrets Engine (API)
 
-This is the API documentation for the Vault TOTP secret backend. For
-general information about the usage and operation of the TOTP backend,
-please see the
-[Vault TOTP backend documentation](/docs/secrets/totp/index.html).
+This is the API documentation for the Vault TOTP secrets engine. For general
+information about the usage and operation of the TOTP secrets engine, please see
+the [TOTP documentation](/docs/secrets/totp/index.html).
 
-This documentation assumes the TOTP backend is mounted at the
-`/totp` path in Vault. Since it is possible to mount secret backends at
-any location, please update your API calls accordingly.
+This documentation assumes the TOTP secrets engine is enabled at the `/totp`
+path in Vault. Since it is possible to enable secrets engines at any location,
+please update your API calls accordingly.
 
 ## Create Key
 
diff --git a/website/source/api/secret/transit/index.html.md b/website/source/api/secret/transit/index.html.md
index 89325a6aa..7d4bdd271 100644
--- a/website/source/api/secret/transit/index.html.md
+++ b/website/source/api/secret/transit/index.html.md
@@ -1,20 +1,20 @@
 ---
 layout: "api"
-page_title: "Transit Secret Backend - HTTP API"
+page_title: "Transit - Secrets Engines - HTTP API"
 sidebar_current: "docs-http-secret-transit"
 description: |-
-  This is the API documentation for the Vault Transit secret backend.
+  This is the API documentation for the Vault Transit secrets engine.
 ---
 
-# Transit Secret Backend HTTP API
+# Transit Secrets Engine (API)
 
-This is the API documentation for the Vault Transit secret backend. For general
-information about the usage and operation of the Transit backend, please see the
-[Vault Transit backend documentation](/docs/secrets/transit/index.html).
+This is the API documentation for the Vault Transit secrets engine. For general
+information about the usage and operation of the Transit secrets engine, please
+see the [transit documentation](/docs/secrets/transit/index.html).
 
-This documentation assumes the Transit backend is mounted at the `/transit`
-path in Vault. Since it is possible to mount secret backends at any location,
-please update your API calls accordingly.
+This documentation assumes the transit secrets engine is enabled at the
+`/transit` path in Vault. Since it is possible to enable secrets engines at any
+location, please update your API calls accordingly.
 
 ## Create Key
 
diff --git a/website/source/api/system/mounts.html.md b/website/source/api/system/mounts.html.md
index e1566c1b5..d60e0b60b 100644
--- a/website/source/api/system/mounts.html.md
+++ b/website/source/api/system/mounts.html.md
@@ -3,16 +3,16 @@ layout: "api"
 page_title: "/sys/mounts - HTTP API"
 sidebar_current: "docs-http-system-mounts"
 description: |-
-  The `/sys/mounts` endpoint is used manage secret backends in Vault.
+  The `/sys/mounts` endpoint is used manage secrets engines in Vault.
 ---
 
 # `/sys/mounts`
 
-The `/sys/mounts` endpoint is used manage secret backends in Vault.
+The `/sys/mounts` endpoint is used manage secrets engines in Vault.
 
-## List Mounted Secret Backends
+## List Mounted Secrets Engines
 
-This endpoints lists all the mounted secret backends.
+This endpoints lists all the mounted secrets engines.
 
 | Method   | Path                         | Produces               |
 | :------- | :--------------------------- | :--------------------- |
@@ -54,9 +54,9 @@ $ curl \
 `default_lease_ttl` or `max_lease_ttl` values of 0 mean that the system defaults
 are used by this backend.
 
-## Mount Secret Backend
+## Mount Secrets Engine
 
-This endpoint mounts a new secret backend at the given path.
+This endpoint mounts a new secrets engine at the given path.
 
 | Method   | Path                         | Produces               |
 | :------- | :--------------------------- | :--------------------- |
@@ -64,7 +64,7 @@ This endpoint mounts a new secret backend at the given path.
 
 ### Parameters
 
-- `path` `(string: <required>)` – Specifies the path where the secret backend
+- `path` `(string: <required>)` – Specifies the path where the secrets engine
   will be mounted. This is specified as part of the URL.
 
 - `type` `(string: <required>)` – Specifies the type of the backend, such as
@@ -100,7 +100,7 @@ This endpoint mounts a new secret backend at the given path.
 Additionally, the following options are allowed in Vault open-source, but
 relevant functionality is only supported in Vault Enterprise:
 
-- `local` `(bool: false)` – Specifies if the secret backend is a local mount  
+- `local` `(bool: false)` – Specifies if the secrets engine is a local mount
   only. Local mounts are not replicated nor (if a secondary) removed by
   replication.
 
@@ -125,7 +125,7 @@ $ curl \
     https://vault.rocks/v1/sys/mounts/my-mount
 ```
 
-## Unmount Secret Backend
+## Unmount Secrets Engine
 
 This endpoint un-mounts the mount point specified in the URL.
 
diff --git a/website/source/docs/auth/aws.html.md b/website/source/docs/auth/aws.html.md
index c7b823a1d..3a26cb353 100644
--- a/website/source/docs/auth/aws.html.md
+++ b/website/source/docs/auth/aws.html.md
@@ -231,7 +231,7 @@ comparison of the two auth methods.
     to handle EC2 instances, such as restricting access to EC2 instances from
     a particular AMI, EC2 instances in a particular instance profile, or EC2
     instances with a specialized tag value (via the role_tag feature).
-  * The iam auth method authenticates generic AWS IAM principals. This can
+  * The iam auth method authenticates AWS IAM principals. This can
     include IAM users, IAM roles assumed from other accounts, AWS Lambdas that
     are launched in an IAM role, or even EC2 instances that are launched in an
     IAM instance profile. However, because it authenticates more generalized IAM
diff --git a/website/source/docs/commands/delete.html.md b/website/source/docs/commands/delete.html.md
index 5f89bd314..a1e3418ec 100644
--- a/website/source/docs/commands/delete.html.md
+++ b/website/source/docs/commands/delete.html.md
@@ -16,7 +16,7 @@ given path.
 
 ## Examples
 
-Remove data in the status secret backend:
+Remove data in the status secrets engine:
 
 ```text
 $ vault delete secret/my-secret
diff --git a/website/source/docs/commands/lease/revoke.html.md b/website/source/docs/commands/lease/revoke.html.md
index 7c4d54c90..7a996fb89 100644
--- a/website/source/docs/commands/lease/revoke.html.md
+++ b/website/source/docs/commands/lease/revoke.html.md
@@ -35,7 +35,7 @@ flags](/docs/commands/index.html) included on all commands.
 
 - `-force` `(bool: false)` - Delete the lease from Vault even if the secret
   engine revocation fails. This is meant for recovery situations where the
-  secret in the target secret engine was manually removed. If this flag is
+  secret in the target secrets engine was manually removed. If this flag is
   specified, -prefix is also required. This is aliased as "-f". The default is
   false.
 
diff --git a/website/source/docs/commands/list.html.md b/website/source/docs/commands/list.html.md
index 785ff73b5..990935390 100644
--- a/website/source/docs/commands/list.html.md
+++ b/website/source/docs/commands/list.html.md
@@ -4,17 +4,17 @@ page_title: "list - Command"
 sidebar_current: "docs-commands-list"
 description: |-
   The "list" command lists data from Vault at the given path. This can be used
-  to list keys in a, given secret engine.
+  to list keys in a, given secrets engine.
 ---
 
 # list
 
 The `list` command lists data from Vault at the given path. This can be used to
-list keys in a, given secret engine.
+list keys in a, given secrets engine.
 
 ## Examples
 
-List values under the "my-app" folder of the generic secret engine:
+List values under the "my-app" folder of the KV secrets engine:
 
 ```text
 $ vault list secret/my-app/
diff --git a/website/source/docs/commands/path-help.html.md b/website/source/docs/commands/path-help.html.md
index 0e5f77e8a..9ce7c2564 100644
--- a/website/source/docs/commands/path-help.html.md
+++ b/website/source/docs/commands/path-help.html.md
@@ -31,13 +31,13 @@ exact.
 
 ## Examples
 
-Get help output for the generic secrets engine:
+Get help output for the KV secrets engine:
 
 ```text
 $ vault path-help secret
 ## DESCRIPTION
 
-The generic backend reads and writes arbitrary secrets to the backend.
+The KV backend reads and writes arbitrary secrets to the backend.
 The secrets are encrypted/decrypted by Vault: they are never stored
 unencrypted in the backend and the backend never has an opportunity to
 see the unencrypted value.
diff --git a/website/source/docs/commands/secrets.html.md b/website/source/docs/commands/secrets.html.md
index ab91581ab..d7353cc4d 100644
--- a/website/source/docs/commands/secrets.html.md
+++ b/website/source/docs/commands/secrets.html.md
@@ -10,7 +10,7 @@ description: |-
 # secrets
 
 The `secrets` command groups subcommands for interacting with Vault's secrets
-engines. Each secret engine behaves differently. Please see the documentation
+engines. Each secrets engine behaves differently. Please see the documentation
 for more information.
 
 Some secrets engines persist data, some act as data pass-through, and some
@@ -36,7 +36,7 @@ Path          Type         Description
 ----          ----         -----------
 cubbyhole/    cubbyhole    per-token private secret storage
 database/     database     n/a
-secret/       generic      generic secret storage
+secret/       kv           key/value secret storage
 sys/          system       system endpoints used for control, policy and debugging
 ```
 
@@ -69,7 +69,7 @@ Usage: vault secrets <subcommand> [options] [args]
   # ...
 
 Subcommands:
-    disable    Disable a secret engine
+    disable    Disable a secrets engine
     enable     Enable a secrets engine
     list       List enabled secrets engines
     move       Move a secrets engine to a new path
diff --git a/website/source/docs/commands/secrets/list.html.md b/website/source/docs/commands/secrets/list.html.md
index f384dd95a..ce8d6cb22 100644
--- a/website/source/docs/commands/secrets/list.html.md
+++ b/website/source/docs/commands/secrets/list.html.md
@@ -3,7 +3,7 @@ layout: "docs"
 page_title: "secrets list - Command"
 sidebar_current: "docs-commands-secrets-list"
 description: |-
-  The "secrets list" command lists the enabled secret engines on the Vault
+  The "secrets list" command lists the enabled secrets engines on the Vault
   server. This command also outputs information about the enabled path including
   configured TTLs and human-friendly descriptions. A TTL of "system" indicates
   that the system default is in use.
@@ -11,7 +11,7 @@ description: |-
 
 # secrets list
 
-The `secrets list` command lists the enabled secret engines on the Vault server.
+The `secrets list` command lists the enabled secrets engines on the Vault server.
 This command also outputs information about the enabled path including
 configured TTLs and human-friendly descriptions. A TTL of "system" indicates
 that the system default is in use.
@@ -25,7 +25,7 @@ $ vault secrets list
 Path          Type         Description
 ----          ----         -----------
 cubbyhole/    cubbyhole    per-token private secret storage
-secret/       generic      generic secret storage
+secret/       kv           key/value secret storage
 sys/          system       system endpoints used for control, policy and debugging
 ```
 
@@ -36,7 +36,7 @@ $ vault secrets list -detailed
 Path          Type         Accessor              Plugin    Default TTL    Max TTL    Force No Cache    Replication    Description
 ----          ----         --------              ------    -----------    -------    --------------    -----------    -----------
 cubbyhole/    cubbyhole    cubbyhole_10fbb584    n/a       n/a            n/a        false             local          per-token private secret storage
-secret/       generic      generic_167ce199      n/a       system         system     false             replicated     generic secret storage
+secret/       kv           kv_167ce199           n/a       system         system     false             replicated     key/value secret storage
 sys/          system       system_a9fd745d       n/a       n/a            n/a        false             replicated     system endpoints used for control, policy and debugging
 ```
 
diff --git a/website/source/docs/commands/secrets/move.html.md b/website/source/docs/commands/secrets/move.html.md
index 11b6f8f07..3b0f0371d 100644
--- a/website/source/docs/commands/secrets/move.html.md
+++ b/website/source/docs/commands/secrets/move.html.md
@@ -19,10 +19,10 @@ engine.**
 
 ## Examples
 
-Move the existing secrets engine at secret/ to generic/:
+Move the existing secrets engine at secret/ to kv/:
 
 ```text
-$ vault secrets move secret/ generic/
+$ vault secrets move secret/ kv/
 ```
 
 ## Usage
diff --git a/website/source/docs/commands/write.html.md b/website/source/docs/commands/write.html.md
index aadc2e123..1c6bb0bd6 100644
--- a/website/source/docs/commands/write.html.md
+++ b/website/source/docs/commands/write.html.md
@@ -19,11 +19,11 @@ is loaded from a file. If the value is "-", Vault will read the value from
 stdin.
 
 For a full list of examples and paths, please see the documentation that
-corresponds to the secret engines in use.
+corresponds to the secrets engines in use.
 
 ## Examples
 
-Persist data in the generic secrets engine:
+Persist data in the KV secrets engine:
 
 ```text
 $ vault write secret/my-secret foo=bar
diff --git a/website/source/docs/concepts/dev-server.html.md b/website/source/docs/concepts/dev-server.html.md
index 2a7e54e5f..446f5980b 100644
--- a/website/source/docs/concepts/dev-server.html.md
+++ b/website/source/docs/concepts/dev-server.html.md
@@ -44,7 +44,7 @@ The properties of the dev server:
 ## Use Case
 
 The dev server should be used for experimentation with Vault features, such
-as different auth methods, secret backends, audit backends, etc.
+as different auth methods, secrets engines, audit backends, etc.
 If you're new to Vault, you may want to pick up with [Your First
 Secret](/intro/getting-started/first-secret.html) in
 our getting started guide.
diff --git a/website/source/docs/concepts/lease.html.md b/website/source/docs/concepts/lease.html.md
index 44aefc98b..4b36c0322 100644
--- a/website/source/docs/concepts/lease.html.md
+++ b/website/source/docs/concepts/lease.html.md
@@ -26,7 +26,7 @@ to check in routinely.
 
 In addition to renewals, a lease can be _revoked_. When a lease is revoked, it
 invalidates that secret immediately and prevents any further renewals. For
-example, with the [AWS secret backend](/docs/secrets/aws/index.html), the
+example, with the [AWS secrets engine](/docs/secrets/aws/index.html), the
 access keys will be deleted from AWS the moment a secret is revoked. This
 renders the access keys invalid from that point forward.
 
diff --git a/website/source/docs/enterprise/replication/index.html.md b/website/source/docs/enterprise/replication/index.html.md
index 6b138d83e..f55bc2e47 100644
--- a/website/source/docs/enterprise/replication/index.html.md
+++ b/website/source/docs/enterprise/replication/index.html.md
@@ -50,7 +50,7 @@ encryption keys for `transit`, etc).
 
 If a user action would modify underlying shared state, the secondary forwards the request
 to the primary to be handled; this is transparent to the client. In practice, most
-high-volume workloads (reads in the `generic` backend, encryption/decryption operations
+high-volume workloads (reads in the `kv` backend, encryption/decryption operations
 in `transit`, etc.) can be satisfied by the local secondary, allowing Vault to scale
 relatively horizontally with the number of secondaries rather than vertically as
 in the past.
@@ -68,7 +68,7 @@ They do not forward service read or write requests until they are elected and be
 | Capability                                                                                                               	| Disaster Recovery 	| Performance                                                              	|
 |--------------------------------------------------------------------------------------------------------------------------	|-------------------	|--------------------------------------------------------------------------	|
 | Mirrors the secrets infrastructure of a primary cluster                                                                  	| Yes               	| Yes                                                                      	|
-| Mirrors the configuration of a primary cluster’s backends (i.e.: auth methods, storage backends, secret backends, etc.) 	| Yes               	| Yes                                                                      	|
+| Mirrors the configuration of a primary cluster’s backends (i.e.: auth methods, storage backends, secrets engines, etc.) 	| Yes               	| Yes                                                                      	|
 | Contains a local replica of secrets on the secondary and allows the secondary to forward writes                          	| No                	| Yes                                                                      	|
 | Mirrors the token auth infrastructure for applications or users interacting with the primary cluster                     	| Yes               	| No. Upon promotion, applications must re-auth tokens with a new primary. 	|
 
diff --git a/website/source/docs/internals/architecture.html.md b/website/source/docs/internals/architecture.html.md
index 75103740a..b74f07de9 100644
--- a/website/source/docs/internals/architecture.html.md
+++ b/website/source/docs/internals/architecture.html.md
@@ -33,7 +33,7 @@ clarify what is being discussed:
   that only encrypted data is written out, and that data is verified and decrypted on the way
   in. Much like a bank vault, the barrier must be "unsealed" before anything inside can be accessed.
 
-* **Secret Backend** - A secret backend is responsible for managing secrets. Simple secret backends
+* **Secrets Engine** - A secrets engine is responsible for managing secrets. Simple secrets engines
   like the "kv" backend simply return the same secret when queried. Some backends support
   using policies to dynamically generate a secret each time they are queried. This allows for
   unique secrets to be used which allows Vault to do fine-grained revocation and policy updates.
@@ -136,7 +136,7 @@ may need to be periodically renewed to avoid invalidation.
 
 Once authenticated, requests are made providing the client token. The token is used
 to verify the client is authorized and to load the relevant policies. The policies
-are used to authorize the client request. The request is then routed to the secret backend,
+are used to authorize the client request. The request is then routed to the secrets engine,
 which is processed depending on the type of backend. If the backend returns a secret,
 the core registers it with the expiration manager and attaches a lease ID.
 The lease ID is used by clients to renew or revoke their secret. If a client allows the
diff --git a/website/source/docs/internals/telemetry.html.md b/website/source/docs/internals/telemetry.html.md
index ecd75b7ff..46e359311 100644
--- a/website/source/docs/internals/telemetry.html.md
+++ b/website/source/docs/internals/telemetry.html.md
@@ -128,12 +128,12 @@ These metrics relate to supported auth methods.
 | `vault.rollback.attempt.auth-token-` | This measures the number of rollback operations attempted for authentication tokens backend | Number of operations | Summary |
 | `vault.rollback.attempt.auth-ldap-` | This measures the number of rollback operations attempted for the LDAP auth method | Number of operations | Summary |
 | `vault.rollback.attempt.cubbyhole-` | This measures the number of rollback operations attempted for the cubbyhole auth method | Number of operations | Summary |
-| `vault.rollback.attempt.secret-` | This measures the number of rollback operations attempted for the kv secret backend | Number of operations | Summary |
+| `vault.rollback.attempt.secret-` | This measures the number of rollback operations attempted for the kv secrets engine | Number of operations | Summary |
 | `vault.rollback.attempt.sys-` | This measures the number of rollback operations attempted for the sys backend | Number of operations | Summary |
 | `vault.route.rollback.auth-ldap-` | This measures the number of rollback operations for the LDAP auth method | Number of operations | Summary |
 | `vault.route.rollback.auth-token-` | This measures the number of rollback operations for the authentication tokens backend | Number of operations | Summary |
 | `vault.route.rollback.cubbyhole-` | This measures the number of rollback operations for the cubbyhole auth method | Number of operations | Summary |
-| `vault.route.rollback.secret-` | This measures the number of rollback operations for the kv secret backend | Number of operations | Summary |
+| `vault.route.rollback.secret-` | This measures the number of rollback operations for the kv secrets engine | Number of operations | Summary |
 | `vault.route.rollback.sys-` | This measures the number of rollback operations for the sys backend | Number of operations | Summary |
 
 ### Storage Backend Metrics
diff --git a/website/source/docs/plugin/index.html.md b/website/source/docs/plugin/index.html.md
index 096eb9e3c..277e67317 100644
--- a/website/source/docs/plugin/index.html.md
+++ b/website/source/docs/plugin/index.html.md
@@ -9,7 +9,7 @@ description: |-
 # Custom Plugin Backends
 
 Plugin backends are the components in Vault that can be implemented separately from Vault's
-builtin backends. These backends can be either authentication or secret backends.
+builtin backends. These backends can be either authentication or secrets engines.
 
 Detailed information regarding the plugin system can be found in the
 [internals documentation](https://www.vaultproject.io/docs/internals/plugins.html).
diff --git a/website/source/docs/secrets/aws/index.html.md b/website/source/docs/secrets/aws/index.html.md
index c525dacca..a10287a34 100644
--- a/website/source/docs/secrets/aws/index.html.md
+++ b/website/source/docs/secrets/aws/index.html.md
@@ -1,148 +1,129 @@
 ---
 layout: "docs"
-page_title: "AWS Secret Backend"
+page_title: "AWS - Secrets Engines"
 sidebar_current: "docs-secrets-aws"
 description: |-
-  The AWS secret backend for Vault generates access keys dynamically based on IAM policies.
+  The AWS secrets engine for Vault generates access keys dynamically based on
+  IAM policies.
 ---
 
-# AWS Secret Backend
+# AWS Secrets Engine
 
-Name: `aws`
+The AWS secrets engine generates AWS access credentials dynamically based on IAM
+policies. This generally makes working with AWS IAM easier, since it does not
+involve clicking in the web UI. Additionally, the process is codified and mapped
+to internal auth methods (such as LDAP). The AWS IAM credentials are time-based
+and are automatically revoked when the Vault lease expires.
 
-The AWS secret backend for Vault generates AWS access credentials dynamically
-based on IAM policies. This makes IAM much easier to use: credentials could
-be generated on the fly, and are automatically revoked when the Vault
-lease is expired.
+## Setup
 
-This page will show a quick start for this backend. For detailed documentation
-on every path, use `vault path-help` after mounting the backend.
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
 
-## Quick Start
+1. Enable the AWS secrets engine:
 
-The first step to using the aws backend is to mount it.
-Unlike the `kv` backend, the `aws` backend is not mounted by default.
+    ```text
+    $ vault secrets enable aws
+    Success! Enabled the aws secrets engine at: aws/
+    ```
 
-```text
-$ vault mount aws
-Successfully mounted 'aws' at 'aws'!
-```
+    By default, the secrets engine will mount at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
 
-Next, we must configure the credentials that Vault uses to manage the IAM credentials generated by this secret backend:
+1. Configure the credentials that Vault uses to communicate with AWS to generate
+the IAM credentials:
 
-```text
-$ vault write aws/config/root \
-    access_key=AKIAJWVN5Z4FOFT7NLNA \
-    secret_key=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 \
-    region=us-east-1
-```
+    ```text
+    $ vault write aws/config/root \
+        access_key=AKIAJWVN5Z4FOFT7NLNA \
+        secret_key=R4nm063hgMVo4BTT5xOs5nHLeLXA6lar7ZJ3Nt0i \
+        region=us-east-1
+    ```
 
-*Note that `root` does not mean it needs to be your AWS account's root credentials, and it 
-probably should not be. It is also unnecessary in many cases as Vault will use normal AWS credential mechanisms (instance profile, env vars, etc.) when possible. If you need to use static credentials, create an IAM user with permissions to manage IAM and STS.
-See below for the specific actions required.*
+    Internally, Vault will connect to AWS using these credentials. As such,
+    these credentials must be a superset of any policies which might be granted
+    on IAM credentials. Since Vault uses the official AWS SDK, it will use the
+    specified credentials. You can also specify the credentials via the standard
+    AWS environment credentials, shared file credentials, or IAM role/ECS task
+    credentials.
 
-The following parameters are required:
+    ~> **Notice:** Even though the path above is `aws/config/root`, do not use
+    your AWS root account credentials. Instead generate a dedicated user or
+    role.
 
-- `access_key` - the AWS access key that has permission to manage IAM
-  credentials.
-- `secret_key` - the AWS secret key that has permission to manage IAM
-  credentials.
+1. Configure a role that maps a name in Vault to a policy or policy file in AWS.
+When users generate credentials, they are generated against this role:
 
-The following parameter is optional:
-
-- `region` the AWS region for API calls. If not provided, the `AWS_REGION` and
-  `AWS_DEFAULT_REGION` env vars will be used, in that order. If there is still
-  no region, `us-east-1` will be used as a fallback.
-
-Note: the client uses the official AWS SDK and will use the specified
-credentials, environment credentials, shared file credentials, or IAM role/ECS
-task credentials in that order.
-
-The next step is to configure a role. A role is a logical name that maps
-to a policy used to generated those credentials.
-You can either supply a user inline policy (via the policy argument), or
-provide a reference to an existing AWS policy by supplying the full ARN
-reference (via the arn argument).
-
-For example, lets first create a "deploy" role using an user inline policy as an example:
-
-```text
-$ vault write aws/roles/deploy \
-    policy=@policy.json
-```
-
-This path will create a named role along with the IAM policy used
-to restrict permissions for it. This is used to dynamically create
-a new pair of IAM credentials when needed.
-
-The `@` tells Vault to load the policy from the file named `policy.json`. Here
-is an example IAM policy to get started:
-
-```javascript
-{
-  "Version": "2012-10-17",
-  "Statement": [
+    ```text
+    $ vault write aws/roles/my-role \
+        policy=-<<EOF
     {
-      "Effect": "Allow",
-      "Action": "iam:*",
-      "Resource": "*"
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "ec2:*",
+          "Resource": "*"
+        }
+      ]
     }
-  ]
-}
-```
+    EOF
+    ```
 
-As a second example, lets create a "readonly" role using an existing AWS policy as an example:
+    This creates a role named "my-role". When users generate credentials against
+    this role, the resulting IAM credential will have the permissions specified
+    in the policy provided as the argument.
 
-```text
-$ vault write aws/roles/readonly arn=arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
-```
+    You can either supply a user inline policy or provide a reference to an
+    existing AWS policy's full ARN:
 
-This path will create a named role pointing to an existing IAM policy used
-to restrict permissions for it. This is used to dynamically create
-a new pair of IAM credentials when needed.
+    ```text
+    $ vault write aws/roles/my-other-role \
+        arn=arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
+    ```
 
-For more information on IAM policies, please see the
-[AWS IAM policy documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/PoliciesOverview.html).
+    For more information on IAM policies, please see the
+    [AWS IAM policy documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/PoliciesOverview.html).
 
+## Usage
 
-To generate a new set of IAM credentials, we simply read from that role:
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
 
-```text
-$ vault read aws/creds/deploy
-Key             Value
-lease_id        aws/creds/deploy/7cb8df71-782f-3de1-79dd-251778e49f58
-lease_duration  3600
-access_key      AKIAIOMYUTSLGJOGLHTQ
-secret_key      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
-security_token  <nil>
-```
+1. Generate a new credential by reading from the `/creds` endpoint with the name
+of the role:
 
-If you run the command again, you will get a new set of credentials:
+    ```text
+    $ vault read aws/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           aws/creds/my-role/f3e92392-7d9c-09c8-c921-575d62fe80d8
+    lease_duration     768h
+    lease_renewable    true
+    access_key         AKIAIOWQXTLW36DV7IEA
+    secret_key         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
+    security_token     <nil>
+    ```
 
-```text
-$ vault read aws/creds/deploy
-Key             Value
-lease_id        aws/creds/deploy/82d89562-ff19-382e-6be9-cb45c8f6a42d
-lease_duration  3600
-access_key      AKIAJZ5YRPHFH3QHRRRQ
-secret_key      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
-security_token  <nil>
-```
+    Each invocation of the command will generate a new credential.
 
-## Dynamic IAM users
+    Unfortunately, IAM credentials are eventually consistent with respect to
+    other Amazon services. If you are planning on using these credential in a
+    pipeline, you may need to add a delay of 5-10 seconds (or more) after
+    fetching credentials before they can be used successfully.
 
-The `aws/creds` endpoint will dynamically create a new IAM user and respond
-with an IAM access key for the newly created user.
+    If you want to be able to use credentials without the wait, consider using
+    the STS method of fetching keys. IAM credentials supported by an STS token
+    are available for use as soon as they are generated.
 
-The [Quick Start](#quick-start) describes how to setup the `aws/creds` endpoint.
+## Example IAM Policy for Vault
 
-## Root Credentials for Dynamic IAM users
+The `aws/config/root` credentials need permission to manage dynamic IAM users.
+Here is an example AWS IAM policy that grants the most commonly required
+permissions Vault needs:
 
-The `aws/config/root` credentials need permission to manage dynamic IAM users.  
-This does not mean it needs to be your AWS account's root credentials, and we would not suggest using them.
-Here is an example IAM policy that would grant these permissions:
-
-```javascript
+```json
 {
   "Version": "2012-10-17",
   "Statement": [
@@ -171,22 +152,6 @@ Here is an example IAM policy that would grant these permissions:
 }
 ```
 
-Note that this policy example is unrelated to the policy you wrote to `aws/roles/deploy`.
-This policy example should be applied to the IAM user (or role) associated with
-the root credentials that you wrote to `aws/config/root`. You have to apply it
-yourself in IAM. The policy you wrote to `aws/roles/deploy` is the policy you
-want the AWS secret backend to apply to the temporary credentials it returns
-from `aws/creds/deploy`.
-
-Unfortunately, IAM credentials are eventually consistent with respect to other
-Amazon services. If you are planning on using these credential in a pipeline,
-you may need to add a delay of 5-10 seconds (or more) after fetching
-credentials before they can be used successfully.
-
-If you want to be able to use credentials without the wait, consider using the STS
-method of fetching keys. IAM credentials supported by an STS token are available for use
-as soon as they are generated.
-
 ## STS credentials
 
 Vault also supports an STS credentials instead of creating a new IAM user.
@@ -374,6 +339,6 @@ errors for exceeding the AWS limit of 32 characters on STS token names.
 
 ## API
 
-The AWS secret backend has a full HTTP API. Please see the
-[AWS secret backend API](/api/secret/aws/index.html) for more
+The AWS secrets engine has a full HTTP API. Please see the
+[AWS secrets engine API](/api/secret/aws/index.html) for more
 details.
diff --git a/website/source/docs/secrets/cassandra/index.html.md b/website/source/docs/secrets/cassandra/index.html.md
index 0269f64f0..667894ea0 100644
--- a/website/source/docs/secrets/cassandra/index.html.md
+++ b/website/source/docs/secrets/cassandra/index.html.md
@@ -1,21 +1,19 @@
 ---
 layout: "docs"
-page_title: "Cassandra Secret Backend"
+page_title: "Cassandra - Secrets Engines"
 sidebar_current: "docs-secrets-cassandra"
 description: |-
-  The Cassandra secret backend for Vault generates database credentials to access Cassandra.
+  The Cassandra secrets engine for Vault generates database credentials to access Cassandra.
 ---
 
-# Cassandra Secret Backend
+# Cassandra Secrets Engine
 
-Name: `cassandra`
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the documentation for
+the new implementation of this secrets engine at
+[Cassandra database plugin](/docs/secrets/databases/cassandra.html).
 
-~> **Deprecation Note:** This backend is deprecated in favor of the
-combined databases backend added in v0.7.1. See the documentation for
-the new implementation of this backend at
-[Cassandra Database Plugin](/docs/secrets/databases/cassandra.html).
-
-The Cassandra secret backend for Vault generates database credentials
+The Cassandra secrets engine for Vault generates database credentials
 dynamically based on configured roles. This means that services that need
 to access a database no longer need to hardcode credentials: they can request
 them from Vault, and use Vault's leasing mechanism to more easily roll keys.
@@ -25,17 +23,17 @@ the database with unique credentials, it makes auditing much easier when
 questionable data access is discovered: you can track it down to the specific
 instance of a service based on the Cassandra username.
 
-This page will show a quick start for this backend. For detailed documentation
-on every path, use `vault path-help` after mounting the backend.
+This page will show a quick start for this secrets engine. For detailed documentation
+on every path, use `vault path-help` after mounting the secrets engine.
 
 ## Quick Start
 
-The first step to using the Cassandra backend is to mount it.
-Unlike the `kv` backend, the `cassandra` backend is not mounted by default.
+The first step to using the Cassandra secrets engine is to mount it. Unlike the
+`kv` secrets engine, the `cassandra` secrets engine is not mounted by default.
 
 ```text
-$ vault mount cassandra
-Successfully mounted 'cassandra' at 'cassandra'!
+$ vault secrets enable cassandra
+Success! Enabled the cassandra secrets engine at: cassandra/
 ```
 
 Next, Vault must be configured to connect to Cassandra. This is done by
@@ -76,12 +74,13 @@ Vault is now configured to create and manage credentials for Cassandra!
 
 ```text
 $ vault read cassandra/creds/readonly
-Key           	Value
-lease_id       	cassandra/creds/test/7a23e890-3a26-531d-529b-92d18d1fa63f
-lease_duration 	3600
-lease_renewable	true
-password       	dfa80eea-ccbe-b228-ebf7-e2f62b245e71
-username       	vault-root-1434647667-9313
+Key                Value
+---                -----
+lease_id           cassandra/creds/test/7a23e890-3a26-531d-529b-92d18d1fa63f
+lease_duration     3600
+lease_renewable    true
+password           dfa80eea-ccbe-b228-ebf7-e2f62b245e71
+username           vault-root-1434647667-9313
 ```
 
 By reading from the `creds/readonly` path, Vault has generated a new
@@ -89,7 +88,7 @@ set of credentials using the `readonly` role configuration. Here we
 see the dynamically generated username and password, along with a one
 hour lease.
 
-Using ACLs, it is possible to restrict using the `cassandra` backend such
+Using ACLs, it is possible to restrict using the `cassandra` secrets engine such
 that trusted operators can manage the role definitions, and both
 users and applications are restricted in the credentials they are
 allowed to read.
@@ -99,6 +98,6 @@ subpath for interactive help output.
 
 ## API
 
-The Cassandra secret backend has a full HTTP API. Please see the
-[Cassandra secret backend API](/api/secret/cassandra/index.html) for more
+The Cassandra secrets engine has a full HTTP API. Please see the
+[Cassandra secrets engine API](/api/secret/cassandra/index.html) for more
 details.
diff --git a/website/source/docs/secrets/consul/index.html.md b/website/source/docs/secrets/consul/index.html.md
index d12ef8cfe..86c3e2d87 100644
--- a/website/source/docs/secrets/consul/index.html.md
+++ b/website/source/docs/secrets/consul/index.html.md
@@ -1,103 +1,95 @@
 ---
 layout: "docs"
-page_title: "Consul Secret Backend"
+page_title: "Consul - Secrets Engines"
 sidebar_current: "docs-secrets-consul"
 description: |-
-  The Consul secret backend for Vault generates tokens for Consul dynamically.
+  The Consul secrets engine for Vault generates tokens for Consul dynamically.
 ---
 
-# Consul Secret Backend
+# Consul Secrets Engine
 
-Name: `consul`
+The Consul secrets engine generates [Consul](https://www.consul.io) API tokens
+dynamically based on Consul ACL policies.
 
-The Consul secret backend for Vault generates
-[Consul](https://www.consul.io)
-API tokens dynamically based on Consul ACL policies.
+## Setup
 
-This page will show a quick start for this backend. For detailed documentation
-on every path, use `vault path-help` after mounting the backend.
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
 
-## Quick Start
+1. Enable the Consul secrets engine:
 
-The first step to using the consul backend is to mount it.
-Unlike the `kv` backend, the `consul` backend is not mounted by default.
+    ```text
+    $ vault secrets enable consul
+    Success! Enabled the consul secrets engine at: consul/
+    ```
 
-```
-$ vault mount consul
-Successfully mounted 'consul' at 'consul'!
-```
+    By default, the secrets engine will mount at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
 
-[Acquire a management token from
-Consul](https://www.consul.io/docs/agent/http/acl.html#acl_create), using the
-`acl_master_token` from your Consul configuration file or any other management
+1. Acquire a [management token][consul-mgmt-token] from Consul, using the
+`acl_master_token` from your Consul configuration file or another management
 token:
 
-```shell
-$ curl \
-    -H "X-Consul-Token: secret" \
-    -X PUT \
-    -d '{"Name": "sample", "Type": "management"}' \
-    http://127.0.0.1:8500/v1/acl/create
-```
-```javascript
-{
-  "ID": "adf4238a-882b-9ddc-4a9d-5b6758e4159e"
-}
-```
+    ```sh
+    $ curl \
+        --header "X-Consul-Token: my-management-token" \
+        --request PUT \
+        --data '{"Name": "sample", "Type": "management"}' \
+        https://consul.rocks/v1/acl/create
+    ```
 
-Next, we must configure Vault to know how to contact Consul.
-This is done by writing the access information:
+    Vault must have a management type token so that it can create and revoke ACL
+    tokens. The response will return a new token:
 
-```
-$ vault write consul/config/access \
-    address=127.0.0.1:8500 \
-    token=adf4238a-882b-9ddc-4a9d-5b6758e4159e
-Success! Data written to: consul/config/access
-```
+    ```json
+    {
+      "ID": "7652ba4c-0f6e-8e75-5724-5e083d72cfe4"
+    }
+    ```
 
-In this case, we've configured Vault to connect to Consul
-on the default port with the loopback address. We've also provided
-an ACL token to use with the `token` parameter. Vault must have a management
-type token so that it can create and revoke ACL tokens.
+1. Configure Vault to connect and authenticate to Consul:
 
-The next step is to configure a role. A role is a logical name that maps
-to a role used to generate those credentials. For example, lets create
-a "readonly" role:
+    ```text
+    $ vault write consul/config/access \
+        address=127.0.0.1:8500 \
+        token=7652ba4c-0f6e-8e75-5724-5e083d72cfe4
+    Success! Data written to: consul/config/access
+    ```
 
-```
-POLICY='key "" { policy = "read" }'
-$ echo $POLICY | base64 | vault write consul/roles/readonly policy=-
-Success! Data written to: consul/roles/readonly
-```
+1. Configure a role that maps a name in Vault to a Consul ACL policy.
+When users generate credentials, they are generated against this role:
 
-The backend expects the policy to be base64 encoded, so we need to encode it
-properly before writing. The policy language is [documented by
-Consul](https://www.consul.io/docs/internals/acl.html), but we've defined a
-read-only policy.
+    ```text
+    $ vault write consul/roles/my-role policy=$(base64 <<< 'key "" { policy = "read" }')
+    Success! Data written to: consul/roles/my-role
+    ```
 
-To generate a new set Consul ACL token, we simply read from that role:
+    The policy must be base64-encoded. The policy language is [documented by
+    Consul](https://www.consul.io/docs/internals/acl.html).
 
-```
-$ vault read consul/creds/readonly
-Key           	Value
-lease_id      	consul/creds/readonly/c7a3bd77-e9af-cfc4-9cba-377f0ef10e6c
-lease_duration	3600
-token         	973a31ea-1ec4-c2de-0f63-623f477c2510
-```
+## Usage
 
-Here we can see that Vault has generated a new Consul ACL token for us.
-We can test this token out, and verify that it is read-only:
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
 
-```
-$ curl 127.0.0.1:8500/v1/kv/foo?token=973a31ea-1ec4-c2de-0f63-623f477c2510
-[{"CreateIndex":12,"ModifyIndex":53,"LockIndex":4,"Key":"foo","Flags":3304740253564472344,"Value":"YmF6"}]
+1. Generate a new credential by reading from the `/creds` endpoint with the name
+of the role:
 
-$ curl -X PUT -d 'test' 127.0.0.1:8500/v1/kv/foo?token=973a31ea-1ec4-c2de-0f63-623f477c2510
-Permission denied
-```
+    ```text
+    $ vault read consul/creds/readonly
+    Key                Value
+    ---                -----
+    lease_id           consul/creds/my-role/b2469121-f55f-53c5-89af-a3ba52b1d6d8
+    lease_duration     768h
+    lease_renewable    true
+    token              642783bf-1540-526f-d4de-fe1ac1aed6f0
+    ```
 
 ## API
 
-The Consul secret backend has a full HTTP API. Please see the
-[Consul secret backend API](/api/secret/consul/index.html) for more
+The Consul secrets engine has a full HTTP API. Please see the
+[Consul secrets engine API](/api/secret/consul/index.html) for more
 details.
+
+[consul-mgmt-token]: https://www.consul.io/docs/agent/http/acl.html#acl_create
diff --git a/website/source/docs/secrets/cubbyhole/index.html.md b/website/source/docs/secrets/cubbyhole/index.html.md
index d991125c9..07f3b7759 100644
--- a/website/source/docs/secrets/cubbyhole/index.html.md
+++ b/website/source/docs/secrets/cubbyhole/index.html.md
@@ -1,58 +1,58 @@
 ---
 layout: "docs"
-page_title: "Cubbyhole Secret Backend"
+page_title: "Cubbyhole - Secrets Engines"
 sidebar_current: "docs-secrets-cubbyhole"
 description: |-
-  The cubbyhole secret backend can store arbitrary secrets scoped to a single token.
+  The cubbyhole secrets engine can store arbitrary secrets scoped to a single token.
 ---
 
-# Cubbyhole Secret Backend
+# Cubbyhole Secrets Engine
 
-Name: `cubbyhole`
+The `cubbyhole` secrets engine is used to store arbitrary secrets within the
+configured physical storage for Vault namespaced to a token. In `cubbyhole`,
+paths are scoped per token. No token can access another token's cubbyhole. When
+the token expires, its cubbyhole is destroyed.
 
-The `cubbyhole` secret backend is used to store arbitrary secrets within
-the configured physical storage for Vault. It is mounted at the `cubbyhole/`
-prefix by default and cannot be mounted elsewhere or removed.
+Also unlike the `kv` secrets engine, because the cubbyhole's lifetime is
+linked to that of an authentication token, there is no concept of a TTL or
+refresh interval for values contained in the token's cubbyhole.
 
-This backend differs from the `kv` backend in that the `kv` backend's
-values are accessible to any token with read privileges on that path. In
-`cubbyhole`, paths are scoped per token; no token can access another token's
-cubbyhole, whether to read, write, list, or for any other operation. When the
-token expires, its cubbyhole is destroyed.
+Writing to a key in the `cubbyhole` secrets engine will completely replace the
+old value.
 
-Also unlike the `kv` backend, because the cubbyhole's lifetime is linked
-to that of an authentication token, there is no concept of a TTL or refresh
-interval for values contained in the token's cubbyhole.
+## Setup
 
-Writing to a key in the `cubbyhole` backend will replace the old value;
-the sub-fields are not merged together.
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
 
-## Quick Start
+The `cubbyhole` secrets engine is enabled by default. It cannot be disabled,
+moved, or enabled multiple times.
 
-The `cubbyhole` backend allows for writing keys with arbitrary values.
+## Usage
 
-As an example, we can write a new key "foo" to the `cubbyhole` backend, which
-is mounted at `cubbyhole/`:
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials. The `cubbyhole` secrets
+engine allows for writing keys with arbitrary values.
 
-```
-$ vault write cubbyhole/foo \
-    zip=zap
-Success! Data written to: cubbyhole/foo
-```
+1. Write arbitrary data:
 
-This writes the key with the "zip" field set to "zap". We can test this by doing
-a read:
+    ```text
+    $ vault write cubbyhole/my-secret my-value=s3cr3t
+    Success! Data written to: cubbyhole/my-secret
+    ```
 
-```
-$ vault read cubbyhole/foo
-Key           	Value
-zip           	zap
-```
+1. Read arbitrary data:
 
-As expected, the value previously set is returned to us.
+    ```text
+    $ vault read cubbyhole/my-secret
+    Key         Value
+    ---         -----
+    my-value    s3cr3t
+    ```
 
 ## API
 
-The Cubbyhole secret backend has a full HTTP API. Please see the
-[Cubbyhole secret backend API](/api/secret/cubbyhole/index.html) for more
+The Cubbyhole secrets engine has a full HTTP API. Please see the
+[Cubbyhole secrets engine API](/api/secret/cubbyhole/index.html) for more
 details.
diff --git a/website/source/docs/secrets/databases/cassandra.html.md b/website/source/docs/secrets/databases/cassandra.html.md
index 8fa888bf8..e68d2b38c 100644
--- a/website/source/docs/secrets/databases/cassandra.html.md
+++ b/website/source/docs/secrets/databases/cassandra.html.md
@@ -1,61 +1,82 @@
 ---
 layout: "docs"
-page_title: "Cassandra Database Plugin - Database Secret Backend"
+page_title: "Cassandra - Database - Secrets Engines"
 sidebar_current: "docs-secrets-databases-cassandra"
 description: |-
-  The Cassandra plugin for Vault's Database backend generates database credentials to access Cassandra.
+  Cassandra is one of the supported plugins for the database secrets engine.
+  This plugin generates database credentials dynamically based on configured
+  roles for the Cassandra database.
 ---
 
-# Cassandra Database Plugin
+# Cassandra Database Secrets Engine
 
-Name: `cassandra-database-plugin`
+Cassandra is one of the supported plugins for the database secrets engine. This
+plugin generates database credentials dynamically based on configured roles for
+the Cassandra database.
 
-The Cassandra Database Plugin is one of the supported plugins for the Database
-backend. This plugin generates database credentials dynamically based on
-configured roles for the Cassandra database.
+See the [database secrets engine](/docs/secrets/databases/index.html) docs for
+more information about setting up the database secrets engine.
 
-See the [Database Backend](/docs/secrets/databases/index.html) docs for more
-information about setting up the Database Backend.
+## Setup
 
-## Quick Start
+1. Enable the database secrets engine if it is not already enabled:
 
-After the Database Backend is mounted you can configure a cassandra connection
-by specifying this plugin as the `"plugin_name"` argument. Here is an example
-cassandra configuration:
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
 
-```
-$ vault write database/config/cassandra \
-    plugin_name=cassandra-database-plugin \
-    allowed_roles="readonly" \
-    hosts=localhost \
-    username=cassandra \
-    password=cassandra
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
 
-The following warnings were returned from the Vault server:
-* Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any.
-```
+1. Configure Vault with the proper plugin and connection information:
 
-Once the cassandra connection is configured we can add a role:
+    ```text
+    $ vault write database/config/my-cassandra-database \
+        plugin_name="cassandra-database-plugin" \
+        hosts=127.0.0.1 \
+        protocol_version=4 \
+        username=cassandra \
+        password=cassandra \
+        allowed_roles=my-role
+    ```
 
-```
-$ vault write database/roles/readonly \
-    db_name=cassandra \
-    creation_statements="CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER; \
-         GRANT SELECT ON ALL KEYSPACES TO {{username}};" \
-    default_ttl="1h" \
-    max_ttl="24h"
+1. Configure a role that maps a name in Vault to an SQL statement to execute to
+create the database credential:
 
+    ```text
+    $ vault write database/roles/my-role \
+        db_name=my-cassandra-database \
+        creation_statements="CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER; \
+             GRANT SELECT ON ALL KEYSPACES TO {{username}};" \
+        default_ttl="1h" \
+        max_ttl="24h"
+    Success! Data written to: database/roles/my-role
+    ```
 
-Success! Data written to: database/roles/readonly
-```
+## Usage
 
-This role can be used to retrieve a new set of credentials by querying the
-"database/creds/readonly" endpoint.
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1. Generate a new credential by reading from the `/creds` endpoint with the name
+of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
 
 ## API
 
 The full list of configurable options can be seen in the [Cassandra database
 plugin API](/api/secret/databases/cassandra.html) page.
 
-For more information on the Database secret backend's HTTP API please see the [Database secret
-backend API](/api/secret/databases/index.html) page.
+For more information on the database secrets engine's HTTP API please see the [Database secret
+secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/source/docs/secrets/databases/custom.html.md b/website/source/docs/secrets/databases/custom.html.md
index 8a66436c9..7bd5316e3 100644
--- a/website/source/docs/secrets/databases/custom.html.md
+++ b/website/source/docs/secrets/databases/custom.html.md
@@ -1,23 +1,26 @@
 ---
 layout: "docs"
-page_title: "Custom Database Plugins - Database Secret Backend"
+page_title: "Custom - Database - Secrets Engines"
 sidebar_current: "docs-secrets-databases-custom"
 description: |-
-  Creating custom database plugins for Vault's Database backend to generate credentials for a database.
+  The database secrets engine allows new functionality to be added through a
+  plugin interface without needing to modify vault's core code. This allows you
+  write your own code to generate credentials in any database you wish. It also
+  allows databases that require dynamically linked libraries to be used as
+  plugins while keeping Vault itself statically linked.
 ---
 
-# Custom Database Plugins
+# Custom Database Secrets Engines
 
-The Database backend allows new functionality to be added through a plugin
-interface without needing to modify vault's core code. This allows you write
-your own code to generate credentials in any database you wish. It also allows
-databases that require dynamically linked libraries to be used as plugins while
-keeping Vault itself statically linked.
+The database secrets engine allows new functionality to be added through a
+plugin interface without needing to modify vault's core code. This allows you
+write your own code to generate credentials in any database you wish. It also
+allows databases that require dynamically linked libraries to be used as plugins
+while keeping Vault itself statically linked.
 
-~> **Advanced topic!** Plugin development is a highly advanced
-topic in Vault, and is not required knowledge for day-to-day usage.
-If you don't plan on writing any plugins, we recommend not reading
-this section of the documentation.
+~> **Advanced topic!** Plugin development is a highly advanced topic in Vault,
+and is not required knowledge for day-to-day usage. If you don't plan on writing
+any plugins, we recommend not reading this section of the documentation.
 
 Please read the [Plugins internals](/docs/internals/plugins.html) docs for more
 information about the plugin system before getting started building your
@@ -25,7 +28,7 @@ Database plugin.
 
 ## Plugin Interface
 
-All plugins for the Database backend must implement the same simple interface.
+All plugins for the database secrets engine must implement the same simple interface.
 
 ```go
 type Database interface {
@@ -91,27 +94,24 @@ The above main package, once built, will supply you with a binary of your
 plugin. We also recommend if you are planning on distributing your plugin to
 build with [gox](https://github.com/mitchellh/gox) for cross platform builds.
 
-To use your plugin with the Database backend you need to place the binary in the
+To use your plugin with the database secrets engine you need to place the binary in the
 plugin directory as specified in the [plugin internals](/docs/internals/plugins.html) docs.
 
 You should now be able to register your plugin into the vault catalog. To do
 this your token will need sudo permissions.
 
-```
+```text
 $ vault write sys/plugins/catalog/myplugin-database-plugin \
-    sha_256=<expected SHA256 Hex value of the plugin binary> \
+    sha_256="..." \
     command="myplugin"
 Success! Data written to: sys/plugins/catalog/myplugin-database-plugin
 ```
 
 Now you should be able to configure your plugin like any other:
 
-```
+```text
 $ vault write database/config/myplugin \
     plugin_name=myplugin-database-plugin \
     allowed_roles="readonly" \
-    myplugins_connection_details=....
-
-The following warnings were returned from the Vault server:
-* Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any.
+    myplugins_connection_details="..."
 ```
diff --git a/website/source/docs/secrets/databases/hanadb.html.md b/website/source/docs/secrets/databases/hanadb.html.md
index 295bb354d..c49564903 100644
--- a/website/source/docs/secrets/databases/hanadb.html.md
+++ b/website/source/docs/secrets/databases/hanadb.html.md
@@ -1,59 +1,79 @@
----
-layout: "docs"
-page_title: "HANA Database Plugin - Database Secret Backend"
-sidebar_current: "docs-secrets-databases-HANA"
-description: |-
-  The HANA plugin for Vault's Database backend generates database credentials to access SAP HANA Database.
----
-
-# HANA Database Plugin
-
-Name: `hana-database-plugin`
-
-The HANA Database Plugin is one of the supported plugins for the Database
-backend. This plugin generates database credentials dynamically based on
-configured roles for the HANA database.
-
-See the [Database Backend](/docs/secrets/databases/index.html) docs for more
-information about setting up the Database Backend.
-
-## Quick Start
-
-After the Database Backend is mounted you can configure a HANA connection
-by specifying this plugin as the `"plugin_name"` argument. Here is an example
-configuration:
-
-```
-$ vault write database/config/hana \
-    plugin_name=hana-database-plugin \
-    connection_url="hdb://username:password@localhost:1433" \
-    allowed_roles="readonly"
-
-The following warnings were returned from the Vault server:
-* Read access to this endpoint should be controlled via ACLs as it will
-return the connection details as is, including passwords, if any.
-```
-
-Once the HANA connection is configured we can add a role:
-
-```
-$ vault write database/roles/readonly \
-    db_name=hana \
-    creation_statements="CREATE USER {{name}} PASSWORD {{password}} VALID UNTIL '{{expiration}}';\
-        CALL GRANT_ACTIVATED_ROLE ( 'sap.hana.admin.roles::Monitoring', '{{name}}' );" \
-    default_ttl="12h" \
-    max_ttl="24h"
-
-Success! Data written to: database/roles/readonly
-```
-
-This role can now be used to retrieve a new set of credentials by querying the
-"database/creds/readonly" endpoint.
-
-## API
-
-The full list of configurable options can be seen in the [HANA database
-plugin API](/api/secret/databases/hanadb.html) page.
-
-For more information on the Database secret backend's HTTP API please see the [Database secret
-backend API](/api/secret/databases/index.html) page.
+---
+layout: "docs"
+page_title: "HANA - Database - Secrets Engines"
+sidebar_current: "docs-secrets-databases-hanadb"
+description: |-
+  HANA is one of the supported plugins for the database secrets engine. This
+  plugin generates database credentials dynamically based on configured roles
+  for the HANA database.
+---
+
+# HANA Database Secrets Engine
+
+HANA is one of the supported plugins for the database secrets engine. This
+plugin generates database credentials dynamically based on configured roles for
+the HANA database.
+
+See the [database secrets engine](/docs/secrets/databases/index.html) docs for
+more information about setting up the database secrets engine.
+
+## Setup
+
+1. Enable the database secrets engine if it is not already enabled:
+
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
+
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1. Configure Vault with the proper plugin and connection information:
+
+    ```text
+    $ vault write database/config/my-hana-database \
+        plugin_name=hana-database-plugin \
+        connection_url="hdb://username:password@localhost:1433" \
+        allowed_roles="my-role"
+    ```
+
+1. Configure a role that maps a name in Vault to an SQL statement to execute to
+create the database credential:
+
+    ```text
+    $ vault write database/roles/my-role \
+        db_name=my-hana-database \
+        creation_statements="CREATE USER {{name}} PASSWORD {{password}} VALID UNTIL '{{expiration}}';\
+            CALL GRANT_ACTIVATED_ROLE ( 'sap.hana.admin.roles::Monitoring', '{{name}}' );" \
+        default_ttl="12h" \
+        max_ttl="24h"
+    Success! Data written to: database/roles/my-role
+    ```
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1. Generate a new credential by reading from the `/creds` endpoint with the name
+of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
+
+## API
+
+The full list of configurable options can be seen in the [HANA database
+plugin API](/api/secret/databases/hanadb.html) page.
+
+For more information on the database secrets engine's HTTP API please see the
+[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/source/docs/secrets/databases/index.html.md b/website/source/docs/secrets/databases/index.html.md
index 28c4a91b9..de72dc81b 100644
--- a/website/source/docs/secrets/databases/index.html.md
+++ b/website/source/docs/secrets/databases/index.html.md
@@ -1,102 +1,101 @@
 ---
 layout: "docs"
-page_title: "Database Secret Backend"
+page_title: "Database - Secrets Engines"
 sidebar_current: "docs-secrets-databases"
 description: |-
-  Top page for database secret backend information
+  The database secrets engine generates database credentials dynamically based
+  on configured roles. It works with a number of different databases through a
+  plugin interface. There are a number of builtin database types and an exposed
+  framework for running custom database types for extendability.
 ---
 
 # Databases
 
-Name: `Database`
+The database secrets engine generates database credentials dynamically based on
+configured roles. It works with a number of different databases through a plugin
+interface. There are a number of builtin database types and an exposed framework
+for running custom database types for extendability. This means that services
+that need to access a database no longer need to hardcode credentials: they can
+request them from Vault, and use Vault's leasing mechanism to more easily roll
+keys.
 
-The Database secret backend for Vault generates database credentials dynamically
-based on configured roles. It works with a number of different databases through
-a plugin interface. There are a number of builtin database types and an exposed
-framework for running custom database types for extendability. This means that
-services that need to access a database no longer need to hardcode credentials:
-they can request them from Vault, and use Vault's leasing mechanism to more
-easily roll keys.
-
-Additionally, it introduces a new ability: with every service accessing the
-database with unique credentials, it makes auditing much easier when
-questionable data access is discovered: you can track it down to the specific
-instance of a service based on the SQL username.
+Since every service accessing the database with unique credentials, it makes
+auditing much easier when questionable data access is discovered. You can track
+it down to the specific instance of a service based on the SQL username.
 
 Vault makes use of its own internal revocation system to ensure that users
 become invalid within a reasonable time of the lease expiring.
 
-This page will show a quick start for this backend. For detailed documentation
-on every path, use vault path-help after mounting the backend.
+## Setup
 
-## Quick Start
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
 
-The first step in using the Database backend is mounting it.
+1. Enable the database secrets engine:
 
-```text
-$ vault mount database
-Successfully mounted 'database' at 'database'!
-```
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
 
-Next, we must configure this backend to connect to a database. In this example
-we will connect to a MySQL database, but the configuration details needed for
-other plugin types can be found in their docs pages. This backend can configure
-multiple database connections, therefore a name for the connection must be
-provided; we'll call this one simply "mysql".
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
 
-```
-$ vault write database/config/mysql \
-    plugin_name=mysql-database-plugin \
-    connection_url="root:mysql@tcp(127.0.0.1:3306)/" \
-    allowed_roles="readonly"
+1. Configure Vault with the proper plugin and connection information:
 
-The following warnings were returned from the Vault server:
-* Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any.
-```
+    ```text
+    $ vault write database/config/my-database \
+        plugin_name="..." \
+        connection_url="..." \
+        allowed_roles="..."
+    ```
 
-The next step is to configure a role. A role is a logical name that maps to a
-policy used to generate those credentials. A role needs to be configured with
-the database name we created above, and the default/max TTLs. For example, lets
-create a "readonly" role:
+    This secrets engine can configure multiple database connections. For details
+    on the specific configuration options, please see the database-specific
+    documentation.
 
-```
-$ vault write database/roles/readonly \
-    db_name=mysql \
-    creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
-    default_ttl="1h" \
-    max_ttl="24h"
-Success! Data written to: database/roles/readonly
-```
-By writing to the roles/readonly path we are defining the readonly role. This
-role will be created by evaluating the given creation statements. By default,
-the {{name}} and {{password}} fields will be populated by the plugin with
-dynamically generated values. In other plugins the {{expiration}} field could
-also be supported. This SQL statement is creating the named user, and then
-granting it SELECT or read-only privileges to tables in the database. More
-complex GRANT queries can be used to customize the privileges of the role.
-Custom revocation statements could be passed too, but this plugin has a default
-statement we can use.
+1. Configure a role that maps a name in Vault to an SQL statement to execute to create the database credential:
 
-To generate a new set of credentials, we simply read from that role:
+    ```text
+    $ vault write database/roles/my-role \
+        db_name=my-database \
+        creation_statements="..." \
+        default_ttl="1h" \
+        max_ttl="24h"
+    Success! Data written to: database/roles/my-role
+    ```
 
-```
-$ vault read database/creds/readonly
-Key            	Value
----            	-----
-lease_id       	database/creds/readonly/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
-lease_duration 	1h0m0s
-lease_renewable	true
-password       	8cab931c-d62e-a73d-60d3-5ee85139cd66
-username       	v-root-e2978cd0-
-```
+    The `{{name}}` and `{{password}}` fields will be populated by the plugin
+    with dynamically generated values. In some plugins the `{{expiration}}`
+    field is also be supported.
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1. Generate a new credential by reading from the `/creds` endpoint with the name
+of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
 
 ## Custom Plugins
 
-This backend allows custom database types to be run through the exposed plugin
-interface. Please see the [Custom database
+This secrets engine allows custom database types to be run through the exposed
+plugin interface. Please see the [custom database
 plugin](/docs/secrets/databases/custom.html) for more information.
 
 ## API
 
-The Database secret backend has a full HTTP API. Please see the [Database secret
-backend API](/api/secret/databases/index.html) for more details.
+The database secrets engine has a full HTTP API. Please see the [Database secret
+secrets engine API](/api/secret/databases/index.html) for more details.
diff --git a/website/source/docs/secrets/databases/mongodb.html.md b/website/source/docs/secrets/databases/mongodb.html.md
index 004883d32..3d8c5ab5f 100644
--- a/website/source/docs/secrets/databases/mongodb.html.md
+++ b/website/source/docs/secrets/databases/mongodb.html.md
@@ -1,57 +1,78 @@
 ---
 layout: "docs"
-page_title: "MongoDB Database Plugin - Database Secret Backend"
+page_title: "MongoDB - Database - Secrets Engines"
 sidebar_current: "docs-secrets-databases-mongodb"
 description: |-
-  The MongoDB plugin for Vault's Database backend generates database credentials to access MongoDB.
+  MongoDB is one of the supported plugins for the database secrets engine. This
+  plugin generates database credentials dynamically based on configured roles
+  for the MongoDB database.
 ---
 
-# MongoDB Database Plugin
+# MongoDB Database Secrets Engine
 
-Name: `mongodb-database-plugin`
+MongoDB is one of the supported plugins for the database secrets engine. This
+plugin generates database credentials dynamically based on configured roles for
+the MongoDB database.
 
-The MongoDB Database Plugin is one of the supported plugins for the Database
-backend. This plugin generates database credentials dynamically based on
-configured roles for the MongoDB database.
+See the [database secrets engine](/docs/secrets/databases/index.html) docs for
+more information about setting up the database secrets engine.
 
-See the [Database Backend](/docs/secrets/databases/index.html) docs for more
-information about setting up the Database Backend.
+## Setup
 
-## Quick Start
+1. Enable the database secrets engine if it is not already enabled:
 
-After the Database Backend is mounted you can configure a MongoDB connection
-by specifying this plugin as the `"plugin_name"` argument. Here is an example
-MongoDB configuration:
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
 
-```
-$ vault write database/config/mongodb \
-    plugin_name=mongodb-database-plugin \
-    allowed_roles="readonly" \
-    connection_url="mongodb://admin:Password!@mongodb.acme.com:27017/admin?ssl=true"
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
 
-The following warnings were returned from the Vault server:
-* Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any.
-```
+1. Configure Vault with the proper plugin and connection information:
 
-Once the MongoDB connection is configured we can add a role:
+    ```text
+    $ vault write database/config/my-mongodb-database \
+        plugin_name=mongodb-database-plugin \
+        allowed_roles="my-role" \
+        connection_url="mongodb://admin:Password!@mongodb.acme.com:27017/admin?ssl=true"
+    ```
 
-```
-$ vault write database/roles/readonly \
-    db_name=mongodb \
-    creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }' \
-    default_ttl="1h" \
-    max_ttl="24h"
+1. Configure a role that maps a name in Vault to an SQL statement to execute to
+create the database credential:
 
-Success! Data written to: database/roles/readonly
-```
+    ```text
+    $ vault write database/roles/my-role \
+        db_name=my-mongodb-database \
+        creation_statements='{ "db": "admin", "roles": [{ "role": "readWrite" }, {"role": "read", "db": "foo"}] }' \
+        default_ttl="1h" \
+        max_ttl="24h"
+    Success! Data written to: database/roles/my-role
+    ```
 
-This role can be used to retrieve a new set of credentials by querying the
-"database/creds/readonly" endpoint.
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1. Generate a new credential by reading from the `/creds` endpoint with the name
+of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
 
 ## API
 
 The full list of configurable options can be seen in the [MongoDB database
 plugin API](/api/secret/databases/mongodb.html) page.
 
-For more information on the Database secret backend's HTTP API please see the [Database secret
-backend API](/api/secret/databases/index.html) page.
+For more information on the database secrets engine's HTTP API please see the
+[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/source/docs/secrets/databases/mssql.html.md b/website/source/docs/secrets/databases/mssql.html.md
index 8f5aee5c8..348136b08 100644
--- a/website/source/docs/secrets/databases/mssql.html.md
+++ b/website/source/docs/secrets/databases/mssql.html.md
@@ -1,69 +1,91 @@
 ---
 layout: "docs"
-page_title: "MSSQL Database Plugin - Database Secret Backend"
+page_title: "MSSQL - Database - Secrets Engines"
 sidebar_current: "docs-secrets-databases-mssql"
 description: |-
-  The MSSQL plugin for Vault's Database backend generates database credentials to access Microsoft SQL Server.
+
+  MSSQL is one of the supported plugins for the database secrets engine. This
+  plugin generates database credentials dynamically based on configured roles
+  for the MSSQL database.
 ---
 
-# MSSQL Database Plugin
+# MSSQL Database Secrets Engine
 
-Name: `mssql-database-plugin`
+MSSQL is one of the supported plugins for the database secrets engine. This
+plugin generates database credentials dynamically based on configured roles for
+the MSSQL database.
 
-The MSSQL Database Plugin is one of the supported plugins for the Database
-backend. This plugin generates database credentials dynamically based on
-configured roles for the MSSQL database.
+See the [database secrets engine](/docs/secrets/databases/index.html) docs for
+more information about setting up the database secrets engine.
 
-See the [Database Backend](/docs/secrets/databases/index.html) docs for more
-information about setting up the Database Backend.
+## Setup
 
-## Quick Start
+1. Enable the database secrets engine if it is not already enabled:
 
-After the Database Backend is mounted you can configure a MSSQL connection
-by specifying this plugin as the `"plugin_name"` argument. Here is an example
-configuration:
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
 
-```
-$ vault write database/config/mssql \
-    plugin_name=mssql-database-plugin \
-    connection_url='server=localhost;port=1433;user id=sa;password=Password!;database=AdventureWorks;app name=vault;' \
-    allowed_roles="readonly"
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
 
-The following warnings were returned from the Vault server:
-* Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any.
-```
+1. Configure Vault with the proper plugin and connection information:
 
-In this case, we've configured Vault with the user "sa" and password "Password!",
-connecting to an instance at "localhost" on port 1433. It is not necessary
-that Vault has the sa login, but the user must have privileges to create
-logins and manage processes. The fixed server roles `securityadmin` and
-`processadmin` are examples of built-in roles that grant these permissions. The
-user also must have privileges to create database users and grant permissions in
-the databases that Vault manages.  The fixed database roles `db_accessadmin` and
-`db_securityadmin` are examples or built-in roles that grant these permissions.
+    ```text
+    $ vault write database/config/my-mssql-database \
+        plugin_name=mssql-database-plugin \
+        connection_url='sqlserver://sa:yourStrong(!)Password@localhost:1433' \
+        allowed_roles="my-role"
+    ```
 
+    In this case, we've configured Vault with the user "sa" and password
+    "Password!", connecting to an instance at "localhost" on port 1433. It is
+    not necessary that Vault has the sa login, but the user must have privileges
+    to create logins and manage processes. The fixed server roles
+    `securityadmin` and `processadmin` are examples of built-in roles that grant
+    these permissions. The user also must have privileges to create database
+    users and grant permissions in the databases that Vault manages.  The fixed
+    database roles `db_accessadmin` and `db_securityadmin` are examples or
+    built-in roles that grant these permissions.
 
-Once the MSSQL connection is configured we can add a role:
+1. Configure a role that maps a name in Vault to an SQL statement to execute to
+create the database credential:
 
-```
-$ vault write database/roles/readonly \
-    db_name=mssql \
-    creation_statements="CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';\
-        CREATE USER [{{name}}] FOR LOGIN [{{name}}];\
-        GRANT SELECT ON SCHEMA::dbo TO [{{name}}];" \
-    default_ttl="1h" \
-    max_ttl="24h"
+    ```text
+    $ vault write database/roles/my-role \
+        db_name=my-mssql-database \
+        creation_statements="CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';\
+            CREATE USER [{{name}}] FOR LOGIN [{{name}}];\
+            GRANT SELECT ON SCHEMA::dbo TO [{{name}}];" \
+        default_ttl="1h" \
+        max_ttl="24h"
+    Success! Data written to: database/roles/my-role
+    ```
 
-Success! Data written to: database/roles/readonly
-```
+## Usage
 
-This role can now be used to retrieve a new set of credentials by querying the
-"database/creds/readonly" endpoint.
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1. Generate a new credential by reading from the `/creds` endpoint with the name
+of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
 
 ## API
 
 The full list of configurable options can be seen in the [MSSQL database
 plugin API](/api/secret/databases/mssql.html) page.
 
-For more information on the Database secret backend's HTTP API please see the [Database secret
-backend API](/api/secret/databases/index.html) page.
+For more information on the database secrets engine's HTTP API please see the
+[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/source/docs/secrets/databases/mysql-maria.html.md b/website/source/docs/secrets/databases/mysql-maria.html.md
index 3b730fed3..48770a90f 100644
--- a/website/source/docs/secrets/databases/mysql-maria.html.md
+++ b/website/source/docs/secrets/databases/mysql-maria.html.md
@@ -1,19 +1,18 @@
 ---
 layout: "docs"
-page_title: "MySQL/MariaDB Database Plugin - Database Secret Backend"
+page_title: "MySQL/MariaDB - Database - Secrets Engines"
 sidebar_current: "docs-secrets-databases-mysql-maria"
 description: |-
-  The MySQL/MariaDB plugin for Vault's Database backend generates database credentials to access MySQL and MariaDB servers.
+  MySQL is one of the supported plugins for the database secrets engine. This
+  plugin generates database credentials dynamically based on configured roles
+  for the MySQL database.
 ---
 
-# MySQL/MariaDB Database Plugin
+# MySQL/MariaDB Database Secrets Engine
 
-Name: `mysql-database-plugin`, `mysql-aurora-database-plugin`, `mysql-rds-database-plugin`,
-`mysql-legacy-database-plugin`
-
-The MySQL Database Plugin is one of the supported plugins for the Database
-backend. This plugin generates database credentials dynamically based on
-configured roles for the MySQL database.
+MySQL is one of the supported plugins for the database secrets engine. This
+plugin generates database credentials dynamically based on configured roles for
+the MySQL database.
 
 This plugin has a few different instances built into vault, each instance is for
 a slightly different MySQL driver. The only difference between these plugins is
@@ -25,47 +24,60 @@ accept different lengths. The available plugins are:
  - mysql-rds-database-plugin
  - mysql-legacy-database-plugin
 
-See the [Database Backend](/docs/secrets/databases/index.html) docs for more
-information about setting up the Database Backend.
+See the [database secrets engine](/docs/secrets/databases/index.html) docs for
+more information about setting up the database secrets engine.
 
-## Quick Start
+## Setup
 
-After the Database Backend is mounted you can configure a MySQL connection
-by specifying this plugin as the `"plugin_name"` argument. Here is an example
-configuration:
+1. Enable the database secrets engine if it is not already enabled:
 
-```
-$ vault write database/config/mysql \
-    plugin_name=mysql-database-plugin \
-    connection_url="root:mysql@tcp(127.0.0.1:3306)/" \
-    allowed_roles="readonly"
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
 
-The following warnings were returned from the Vault server:
-* Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any.
-```
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
 
-Once the MySQL connection is configured we can add a role:
+1. Configure Vault with the proper plugin and connection information:
 
-```
-$ vault write database/roles/readonly \
-    db_name=mysql \
-    creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
-    default_ttl="1h" \
-    max_ttl="24h"
+    ```text
+    $ vault write database/config/my-mysql-database \
+        plugin_name=mysql-database-plugin \
+        connection_url="root:mysql@tcp(127.0.0.1:3306)/" \
+        allowed_roles="my-role"
+    ```
 
-Success! Data written to: database/roles/readonly
-```
+1. Configure a role that maps a name in Vault to an SQL statement to execute to
+create the database credential:
 
-This role can now be used to retrieve a new set of credentials by querying the
-"database/creds/readonly" endpoint.
+    ```text
+    $ vault write database/roles/my-role \
+        db_name=my-mysql-database \
+        creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
+        default_ttl="1h" \
+        max_ttl="24h"
+    Success! Data written to: database/roles/my-role
+    ```
 
-## API
+## Usage
 
-The full list of configurable options can be seen in the [MySQL database
-plugin API](/api/secret/databases/mysql-maria.html) page.
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
 
-For more information on the Database secret backend's HTTP API please see the [Database secret
-backend API](/api/secret/databases/index.html) page.
+1. Generate a new credential by reading from the `/creds` endpoint with the name
+of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
 
 ## Examples
 
@@ -77,7 +89,7 @@ This can be realized by using a wildcard in the grant statement. For example if
 you want the user created by Vault to have access to all databases starting with
 `fooapp_` you could use the following creation statement:
 
-```
+```text
 CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON `fooapp\_%`.* TO '{{name}}'@'%';
 ```
 
@@ -88,10 +100,18 @@ text between the backticks as something that must be executed. The easiest way t
 get around this is to encode the creation statement as Base64 and feed this to Vault.
 For example:
 
-```
-$ vault write database/roles/readonly \
+```text
+$ vault write database/roles/my-role \
     db_name=mysql \
     creation_statements="Q1JFQVRFIFVTRVIgJ3t7bmFtZX19J0AnJScgSURFTlRJRklFRCBCWSAne3twYXNzd29yZH19JzsgR1JBTlQgU0VMRUNUIE9OIGBmb29hcHBcXyVgLiogVE8gJ3t7bmFtZX19J0AnJSc7" \
     default_ttl="1h" \
     max_ttl="24h"
 ```
+
+## API
+
+The full list of configurable options can be seen in the [MySQL database plugin
+API](/api/secret/databases/mysql-maria.html) page.
+
+For more information on the database secrets engine's HTTP API please see the
+[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/source/docs/secrets/databases/oracle.html.md b/website/source/docs/secrets/databases/oracle.html.md
index 67d7b539f..997aab712 100644
--- a/website/source/docs/secrets/databases/oracle.html.md
+++ b/website/source/docs/secrets/databases/oracle.html.md
@@ -1,23 +1,27 @@
 ---
 layout: "docs"
-page_title: "Oracle Database Plugin"
+page_title: "Oracle - Database - Secrets Engines"
 sidebar_current: "docs-secrets-databases-oracle"
 description: |-
-  The Oracle Database plugin for Vault's Database backend generates database credentials to access Oracle Database severs.
+  Oracle is one of the supported plugins for the database secrets engine. This
+  plugin generates database credentials dynamically based on configured roles
+  for the Oracle database.
 ---
 
-# Oracle Database Plugin
+# Oracle Database Secrets Engine
 
-Name: `vault-plugin-database-oracle`
+Oracle is one of the supported plugins for the database secrets engine. This
+plugin generates database credentials dynamically based on configured roles for
+the Oracle database.
 
-The Oracle Database Plugin is an external plugin for the Database
-backend. This plugin generates database credentials dynamically based on
-configured roles for the Oracle database.
+The Oracle database plugin is not bundled in the core Vault code tree and can be
+found at its own git repository here:
+[hashicorp/vault-plugin-database-oracle](https://github.com/hashicorp/vault-plugin-database-oracle)
 
 See the [Database Backend](/docs/secrets/databases/index.html) docs for more
 information about setting up the Database Backend.
 
-## Installation
+## Setup
 
 The Oracle Database Plugin does not live in the core Vault code tree and can be found
 at its own git repository here: [hashicorp/vault-plugin-database-oracle](https://github.com/hashicorp/vault-plugin-database-oracle)
@@ -27,54 +31,68 @@ library installed. These can be downloaded from Oracle. The libraries will need
 be placed in the default library search path or somewhere defined in the
 `LD_LIBRARY_PATH` environment variable.
 
-## Quick Start
+1. Enable the database secrets engine if it is not already enabled:
 
-After the Database Backend is mounted you can run the plugin and configure a
-connection to the Oracle Database.
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
 
-First the plugin must be built and registered to Vault's plugin catalog. To
-build the plugin see the plugin's code repository. Once the plugin is built and
-the binary is placed in Vault's plugin directory the catalog should be updated:
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
 
-```
-$ vault write sys/plugins/catalog/vault-plugin-database-oracle \
-    sha_256=<expected SHA256 value> \
-    command=vault-plugin-database-oracle
-```
+1. Download and register the plugin:
 
-Once the plugin exists in the plugin catalog the Database backend can configure
-a connection for the Oracle Database:
+    ```text
+    $ vault write sys/plugins/catalog/oracle-database-plugin \
+        sha_256="..." \
+        command=oracle-database-plugin
+    ```
 
-```
-$ vault write database/config/oracle \
-    plugin_name=vault-plugin-database-oracle \
-    connection_url="system/Oracle@localhost:1521/OraDoc.localhost" \
-    allowed_roles="readonly"
+1. Configure Vault with the proper plugin and connection information:
 
-The following warnings were returned from the Vault server:
-* Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any.
-```
+    ```text
+    $ vault write database/config/my-oracle-database \
+        plugin_name=oracle-database-plugin \
+        connection_url="system/Oracle@localhost:1521/OraDoc.localhost" \
+        allowed_roles="my-role"
+    ```
 
-Once the Oracle connection is configured we can add a role:
+1. Configure a role that maps a name in Vault to an SQL statement to execute to
+create the database credential:
 
-```
-$ vault write database/roles/readonly \
-    db_name=oracle \
-    creation_statements="CREATE USER {{name}} IDENTIFIED BY {{password}}; GRANT CONNECT TO {{name}}; GRANT CREATE SESSION TO {{name}};" \
-    default_ttl="1h" \
-    max_ttl="24h"
+    ```text
+    $ vault write database/roles/my-role \
+        db_name=my-oracle-database \
+        creation_statements="CREATE USER {{name}} IDENTIFIED BY {{password}}; GRANT CONNECT TO {{name}}; GRANT CREATE SESSION TO {{name}};" \
+        default_ttl="1h" \
+        max_ttl="24h"
+    Success! Data written to: database/roles/my-role
+    ```
 
-Success! Data written to: database/roles/readonly
-```
+## Usage
 
-This role can now be used to retrieve a new set of credentials by querying the
-"database/creds/readonly" endpoint.
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1. Generate a new credential by reading from the `/creds` endpoint with the name
+of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
 
 ## API
 
-The full list of configurable options can be seen in the [Oracle database
-plugin API](/api/secret/databases/oracle.html) page.
-
-For more information on the Database secret backend's HTTP API please see the [Database secret
-backend API](/api/secret/databases/index.html) page.
+The full list of configurable options can be seen in the [Oracle database plugin
+API](/api/secret/databases/oracle.html) page.
 
+For more information on the database secrets engine's HTTP API please see the
+[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/source/docs/secrets/databases/postgresql.html.md b/website/source/docs/secrets/databases/postgresql.html.md
index b05b45c53..14a4734f9 100644
--- a/website/source/docs/secrets/databases/postgresql.html.md
+++ b/website/source/docs/secrets/databases/postgresql.html.md
@@ -1,59 +1,79 @@
 ---
 layout: "docs"
-page_title: "PostgreSQL Database Plugin - Database Secret Backend"
+page_title: "PostgreSQL - Database - Secrets Engines"
 sidebar_current: "docs-secrets-databases-postgresql"
 description: |-
-  The PostgreSQL plugin for Vault's Database backend generates database credentials to access PostgreSQL.
+  PostgreSQL is one of the supported plugins for the database secrets engine.
+  This plugin generates database credentials dynamically based on configured
+  roles for the PostgreSQL database.
 ---
 
-# PostgreSQL Database Plugin
+# PostgreSQL Database Secrets Engine
 
-Name: `postgresql-database-plugin`
+PostgreSQL is one of the supported plugins for the database secrets engine. This
+plugin generates database credentials dynamically based on configured roles for
+the PostgreSQL database.
 
-The PostgreSQL Database Plugin is one of the supported plugins for the Database
-backend. This plugin generates database credentials dynamically based on
-configured roles for the PostgreSQL database.
+See the [database secrets engine](/docs/secrets/databases/index.html) docs for
+more information about setting up the database secrets engine.
 
-See the [Database Backend](/docs/secrets/databases/index.html) docs for more
-information about setting up the Database Backend.
+## Setup
 
-## Quick Start
+1. Enable the database secrets engine if it is not already enabled:
 
-After the Database Backend is mounted you can configure a PostgreSQL connection
-by specifying this plugin as the `"plugin_name"` argument. Here is an example
-configuration:
+    ```text
+    $ vault secrets enable database
+    Success! Enabled the database secrets engine at: database/
+    ```
 
-```
-$ vault write database/config/postgresql \
-    plugin_name=postgresql-database-plugin \
-    allowed_roles="readonly" \
-    connection_url="postgresql://root:root@localhost:5432/"
+    By default, the secrets engine will enable at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
 
-The following warnings were returned from the Vault server:
-* Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any.
-```
+1. Configure Vault with the proper plugin and connection information:
 
-Once the PostgreSQL connection is configured we can add a role. The PostgreSQL
-plugin replaces `{{expiration}}` in statements with a formated timestamp:
+    ```text
+    $ vault write database/config/my-postgresql-database \
+        plugin_name=postgresql-database-plugin \
+        allowed_roles="my-role" \
+        connection_url="postgresql://root:root@localhost:5432/"
+    ```
 
-```
-$ vault write database/roles/readonly \
-    db_name=postgresql \
-    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
-        GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
-    default_ttl="1h" \
-    max_ttl="24h"
+1. Configure a role that maps a name in Vault to an SQL statement to execute to
+create the database credential:
 
-Success! Data written to: database/roles/readonly
-```
+    ```text
+    $ vault write database/roles/my-role \
+        db_name=my-postgresql-database \
+        creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
+            GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
+        default_ttl="1h" \
+        max_ttl="24h"
+    Success! Data written to: database/roles/my-role
+    ```
 
-This role can be used to retrieve a new set of credentials by querying the
-"database/creds/readonly" endpoint.
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1. Generate a new credential by reading from the `/creds` endpoint with the name
+of the role:
+
+    ```text
+    $ vault read database/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           database/creds/my-role/2f6a614c-4aa2-7b19-24b9-ad944a8d4de6
+    lease_duration     1h
+    lease_renewable    true
+    password           8cab931c-d62e-a73d-60d3-5ee85139cd66
+    username           v-root-e2978cd0-
+    ```
 
 ## API
 
 The full list of configurable options can be seen in the [PostgreSQL database
 plugin API](/api/secret/databases/postgresql.html) page.
 
-For more information on the Database secret backend's HTTP API please see the [Database secret
-backend API](/api/secret/databases/index.html) page.
+For more information on the database secrets engine's HTTP API please see the
+[Database secrets engine API](/api/secret/databases/index.html) page.
diff --git a/website/source/docs/secrets/identity/index.html.md b/website/source/docs/secrets/identity/index.html.md
index 9ed9b486c..f9eac66e8 100644
--- a/website/source/docs/secrets/identity/index.html.md
+++ b/website/source/docs/secrets/identity/index.html.md
@@ -1,16 +1,16 @@
 ---
 layout: "docs"
-page_title: "Identity Secret Backend"
+page_title: "Identity - Secrets Engines"
 sidebar_current: "docs-secrets-identity"
 description: |-
-  The Identity secret backend for Vault manages client identities.
+  The Identity secrets engine for Vault manages client identities.
 ---
 
-# Identity Secret Backend
+# Identity Secrets Engine
 
 Name: `identity`
 
-The Identity secret backend is the identity management solution for Vault. It
+The Identity secrets engine is the identity management solution for Vault. It
 internally maintains the clients who are recognized by Vault. Each client is
 internally termed as an `Entity`. An entity can have multiple `Personas`. For
 example, a single user who has accounts in both Github and LDAP, can be mapped
@@ -30,11 +30,11 @@ entities are **an addition** to the existing capabilities of the token and
 get inherited from entities are computed at request time. This provides
 flexibility in controlling the access of tokens that are already issued.
 
-This backend will be mounted by default. This backend cannot be unmounted or
-remounted.
+This secrets engine will be mounted by default. This secrets engine cannot be
+unmounted or remounted.
 
 ## API
 
-The Identity secret backend has a full HTTP API. Please see the
-[Identity secret backend API](/api/secret/identity/index.html) for more
+The Identity secrets engine has a full HTTP API. Please see the
+[Identity secrets engine API](/api/secret/identity/index.html) for more
 details.
diff --git a/website/source/docs/secrets/index.html.md b/website/source/docs/secrets/index.html.md
index ea8bb1c67..6b6d7a7a5 100644
--- a/website/source/docs/secrets/index.html.md
+++ b/website/source/docs/secrets/index.html.md
@@ -1,75 +1,66 @@
 ---
 layout: "docs"
-page_title: "Secret Backends"
+page_title: "Secrets Engines"
 sidebar_current: "docs-secrets"
 description: |-
-  Secret backends are mountable backends that store or generate secrets in Vault.
+  Secrets engines are mountable engines that store or generate secrets in Vault.
 ---
 
-# Secret Backends
+# Secrets Engines
 
-Secret backends are the components in Vault which store and generate
-secrets.
+Secrets engines are components which store, generate, or encrypt data. Secrets
+engines are incredibly flexible, so it is easiest to think about them in terms
+of their function. Secrets engines are provided some set of data, they take some
+action on that data, and they return a result.
 
-Some secret backends, such as "kv", simply store and read
-secrets verbatim. Other secret backends, such as "aws", create _dynamic
-secrets_: secrets that are made on demand.
+Some secrets engines simply store and read data - like encrypted
+Redis/Memcached. Other secrets engines connect to other services and generate
+dynamic credentials on demand. Other secrets engines provide encryption as a
+service, totp generation, certificates, and much more.
 
-Secret backends are part of the
-[mount system](#)
-in Vault. They behave very similarly to a virtual filesystem:
-any read/write/delete is sent to the secret backend, and the secret
-backend can choose to react to that operation however it sees fit.
+Secrets engines are enabled at a "path" in Vault. When a request comes to Vault,
+the router automatically routes anything with the route prefix to the secrets
+engine. In this way, each secrets engine defines its own paths and properties.
+To the user, secrets engines behave similar to a virtual filesystem, supporting
+operations like read, write, and delete.
 
-For example, the "kv" backend passes through any operation back
-to the configured storage backend for Vault. A "read" turns into a
-"read" of the storage backend at the same path, a "write" turns into
-a write, etc. This is a lot like a normal filesystem.
+## Secrets Engines Lifecycle
 
-The "aws" backend, on the other hand, behaves differently. When you
-write to `aws/config/root`, it expects a certain format and stores that
-information as configuration. You can't read from this path. When you
-read from `aws/<name>`, it looks up an IAM policy named `<name>` and
-generates AWS access credentials on demand and returns them. It doesn't
-behave at all like a typical filesystem: you're not simply storing and
-retrieving values, you're interacting with an API.
+Most secrets engines can be enabled, disabled, tuned, and moved via the CLI or
+API. Previous versions of Vault called these "mounts", but that term was
+overloaded.
 
-## Mounting/Unmounting Secret Backends
+- **Enable** - This enables a secrets engine at a given path. With few
+  exceptions, secrets engines can be enabled at multiple paths. Each secrets
+  engine is isolated to its path. By default, they are enabled at their "type"
+  (e.g. "aws" enables at "aws/").
 
-Secret backends can be mounted/unmounted using the CLI or the API.
-There are three operations that can be performed with a secret backend
-with regards to mounting:
+- **Disable** - This disables an existing secrets engine. When a secrets engine
+  is disabled, all of its secrets are revoked (if they support it), and all of
+  the data stored for that engine in the physical storage layer is deleted.
 
-  * **Mount** - This mounts a new secret backend. Multiple secret
-    backends of the same type can be mounted at the same time by
-    specifying different mount points. By default, secret backends are
-    mounted to the same path as their name. This is what you want most
-    of the time.
+- **Move** - This moves the path for an existing secrets engine. This process
+  revokes all secrets, since secret leases are tied to the path they were
+  created at. The configuration data stored for the engine persists through the
+  move.
 
-  * **Unmount** - This unmounts an existing secret backend. When a secret
-    backend is unmounted, all of its secrets are revoked (if they support
-    it), and all of the data stored for that backend in the physical storage
-    layer is deleted.
+- **Tune** - This tunes global configuration for the secrets engine such as the
+  TTLs.
 
-  * **Remount** - This moves the mount point for an existing secret backend.
-    This revokes all secrets, since secret leases are tied to the path they
-    were created at. The data stored for the backend won't be deleted.
-
-Once a secret backend is mounted, you can interact with it directly
-at its mount point according to its own API. You can use the `vault path-help`
-system to determine the paths it responds to.
+Once a secrets engine is enabled, you can interact with it directly at its path
+according to its own API. Use `vault path-help` to determine the paths it
+responds to.
 
 ## Barrier View
 
-An important concept around secret backends is that they receive a
-_barrier view_ to the configured Vault physical storage. This is a lot
-like a [chroot](https://en.wikipedia.org/wiki/Chroot).
+Secrets engines receive a _barrier view_ to the configured Vault physical
+storage. This is a lot like a [chroot](https://en.wikipedia.org/wiki/Chroot).
 
-Whenever a secret backend is mounted, a random UUID is generated. This
-becomes the data root for that backend. Whenever that backend writes to
-the physical storage layer, it is prefixed with that UUID folder. Since
-the Vault storage layer doesn't support relative access (such as `..`),
-this makes it impossible for a mounted backend to access any other data.
+When a secrets engine is enabled, a random UUID is generated. This becomes the
+data root for that engine. Whenever that engine writes to the physical storage
+layer, it is prefixed with that UUID folder. Since the Vault storage layer
+doesn't support relative access (such as `../`), this makes it impossible for a
+enabled secrets engine to access other data.
 
-This is an important security feature in Vault: even a malicious backend
-can't access the data from any other backend.
+This is an important security feature in Vault - even a malicious engine
+cannot access the data from any other engine.
diff --git a/website/source/docs/secrets/kv/index.html.md b/website/source/docs/secrets/kv/index.html.md
index 8a4994bb6..1925cae6e 100644
--- a/website/source/docs/secrets/kv/index.html.md
+++ b/website/source/docs/secrets/kv/index.html.md
@@ -1,77 +1,91 @@
 ---
 layout: "docs"
-page_title: "Key/Value Secret Backend"
+page_title: "KV - Secrets Engines"
 sidebar_current: "docs-secrets-kv"
 description: |-
-  The key/value secret backend can store arbitrary secrets.
+  The KV secrets engine can store arbitrary secrets.
 ---
 
-# Key/Value Secret Backend
+# KV Secrets Engine
 
-Name: `kv`
+The `kv` secrets engine is used to store arbitrary secrets within the
+configured physical storage for Vault.
 
-The key/value secret backend is used to store arbitrary secrets within
-the configured physical storage for Vault. If you followed along with
-the getting started guide, you interacted with a key/value secret backend
-via the `secret/` prefix that Vault mounts by default. You can mount as many
-of these backends at different mount points as you like.
+Writing to a key in the `kv` secrets engine will completely replace the old
+value.
 
-Writing to a key in the `kv` backend will replace the old value;
-sub-fields are not merged together.
-
-This backend honors the distinction between the `create` and `update`
+This secrets engine honors the distinction between the `create` and `update`
 capabilities inside ACL policies.
 
-**Note**: Path and key names are _not_ obfuscated or encrypted; only the values
-set on keys are. You should not store sensitive information as part of a
+~> **Note**: Path and key names are _not_ obfuscated or encrypted; only the
+values set on keys are. You should not store sensitive information as part of a
 secret's path.
 
-## Quick Start
+## Setup
 
-The kv backend allows for writing keys with arbitrary values. When data is
-returned, the `lease_duration` field (in the API JSON) or `refresh_interval`
-field (on the CLI) gives a hint as to how often a reader should look for a new
-value. This comes from the value of the `default_lease_ttl` set on the mount,
-or the system value.
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
 
-There is one piece of special data handling: if a `ttl` key is provided, it
-will be treated as normal data, but on read the backend will attempt to parse
-it as a duration (either as a string like `1h` or an integer number of seconds
-like `3600`). If successful, the backend will use this value in place of the
-normal `lease_duration`. However, the given value will also still be returned
-exactly as specified, so you are free to use that key in any way that you like
-if it fits your input data.
+The `kv` secrets engine is enabled by default at the path `secret/`. It can
+be disabled, moved, or enabled multiple times at different paths. Each instance
+of the KV secrets engine is isolated and unique.
 
-The backend _never_ removes data on its own; the `ttl` key is merely advisory.
+## Usage
 
-As an example, we can write a new key "foo" to the kv backend mounted at
-"secret/" by default:
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials. The `kv` secrets engine
+allows for writing keys with arbitrary values.
 
-```
-$ vault write secret/foo \
-    zip=zap \
-    ttl=1h
-Success! Data written to: secret/foo
+1. Write arbitrary data:
+
+    ```text
+    $ vault write secret/my-secret my-value=s3cr3t
+    Success! Data written to: secret/my-secret
+    ```
+
+1. Read arbitrary data:
+
+    ```text
+    $ vault read secret/my-secret
+    Key                 Value
+    ---                 -----
+    refresh_interval    768h
+    my-value            s3cr3t
+    ```
+
+## TTLs
+
+Unlike other secrets engines, the KV secrets engine does not enforce TTLs
+for expiration. Instead, the `lease_duration` is a hint for how often consumers
+should check back for a new value. This is commonly displayed as
+`refresh_interval` instead of `lease_duration` to clarify this in output.
+
+If provided a key of `ttl`, the KV secrets engine will utilize this value
+as the lease duration:
+
+```text
+$ vault write secret/my-secret ttl=30m my-value=s3cr3t
+Success! Data written to: secret/my-secret
 ```
 
-This writes the key with the "zip" field set to "zap" and a one hour TTL.
-We can test this by doing a read:
+Even will a `ttl` set, the secrets engine _never_ removes data on its own. The
+`ttl` key is merely advisory.
 
-```
-$ vault read secret/foo
-Key               Value
----               -----
-refresh_interval  3600
-ttl               1h
-zip               zap
-```
+When reading a value with a `ttl`, both the `ttl` key _and_ the refresh interval
+will reflect the value:
 
-As expected, we get the values previously set back as well as our custom TTL
-both as specified and translated to seconds. The duration has been set to 3600
-seconds (one hour) as specified.
+```text
+$ vault read secret/my-secret
+Key                 Value
+---                 -----
+refresh_interval    30m
+my-value            s3cr3t
+ttl                 30m
+```
 
 ## API
 
-The Key/Value secret backend has a full HTTP API. Please see the
-[Key/Value secret backend API](/api/secret/kv/index.html) for more
+The KV secrets engine has a full HTTP API. Please see the
+[KV secrets engine API](/api/secret/kv/index.html) for more
 details.
diff --git a/website/source/docs/secrets/mongodb/index.html.md b/website/source/docs/secrets/mongodb/index.html.md
index 654278191..3121a8f92 100644
--- a/website/source/docs/secrets/mongodb/index.html.md
+++ b/website/source/docs/secrets/mongodb/index.html.md
@@ -1,21 +1,19 @@
 ---
 layout: "docs"
-page_title: "MongoDB Secret Backend"
+page_title: "MongoDB - Secrets Engines"
 sidebar_current: "docs-secrets-mongodb"
 description: |-
-  The mongodb secret backend for Vault generates database credentials to access MongoDB.
+  The mongodb secrets engine for Vault generates database credentials to access MongoDB.
 ---
 
-# MongoDB Secret Backend
+# MongoDB Secrets Engine
 
-Name: `mongodb`
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the documentation for
+the new implementation of this secrets engine at
+[MongoDB database plugin](/docs/secrets/databases/mongodb.html).
 
-~> **Deprecation Note:** This backend is deprecated in favor of the
-combined databases backend added in v0.7.1. See the documentation for
-the new implementation of this backend at
-[MongoDB Database Plugin](/docs/secrets/databases/mongodb.html).
-
-The `mongodb` secret backend for Vault generates MongoDB database credentials
+The `mongodb` secrets engine for Vault generates MongoDB database credentials
 dynamically based on configured roles. This means that services that need
 to access a MongoDB database no longer need to hard-code credentials: they
 can request them from Vault and use Vault's leasing mechanism to more easily
@@ -29,17 +27,17 @@ instance of a service based on the MongoDB username.
 Vault makes use of its own internal revocation system to ensure that users
 become invalid within a reasonable time of the lease expiring.
 
-This page will show a quick start for this backend. For detailed documentation
-on every path, use `vault path-help` after mounting the backend.
+This page will show a quick start for this secrets engine. For detailed documentation
+on every path, use `vault path-help` after mounting the secrets engine.
 
 ## Quick Start
 
-The first step to using the mongodb backend is to mount it.
-Unlike the `kv` backend, the `mongodb` backend is not mounted by default.
+The first step to using the mongodb secrets engine is to mount it. Unlike the
+`kv` secrets engine, the `mongodb` secrets engine is not mounted by default.
 
 ```
-$ vault mount mongodb
-Successfully mounted 'mongodb' at 'mongodb'!
+$ vault secrets enable mongodb
+Success! Enabled the mongodb secrets engine at: mongodb/
 ```
 
 Next, we must tell Vault how to connect to MongoDB. This is done by providing
@@ -105,26 +103,26 @@ the credentials path for that role:
 
 ```
 $ vault read mongodb/creds/readonly
-Key            	Value
----            	-----
-lease_id       	mongodb/creds/readonly/91685212-3040-7dde-48b1-df997c5dc8e7
-lease_duration 	3600
-lease_renewable	true
-db             	foo
-password       	c3faa86d-0f93-9649-de91-c431765e62dd
-username       	vault-token-48729def-b0ca-2b17-d7b9-3ca7cb86f0ae
+Key                Value
+---                -----
+lease_id           mongodb/creds/readonly/91685212-3040-7dde-48b1-df997c5dc8e7
+lease_duration     3600
+lease_renewable    true
+db                 foo
+password           c3faa86d-0f93-9649-de91-c431765e62dd
+username           vault-token-48729def-b0ca-2b17-d7b9-3ca7cb86f0ae
 ```
 
 By reading from the `creds/readonly` path, Vault has generated a new set of
 credentials using the `readonly` role configuration. Here we see the
 dynamically generated username and password, along with a one hour lease.
 
-Using ACLs, it is possible to restrict using the `mongodb` backend such that
+Using ACLs, it is possible to restrict using the `mongodb` secrets engine such that
 trusted operators can manage the role definitions, and both users and
 applications are restricted in the credentials they are allowed to read.
 
 ## API
 
-The MongoDB secret backend has a full HTTP API. Please see the
-[MongoDB secret backend API](/api/secret/mongodb/index.html) for more
+The MongoDB secrets engine has a full HTTP API. Please see the
+[MongoDB secrets engine API](/api/secret/mongodb/index.html) for more
 details.
diff --git a/website/source/docs/secrets/mssql/index.html.md b/website/source/docs/secrets/mssql/index.html.md
index 443ba6fc2..b0aa015c7 100644
--- a/website/source/docs/secrets/mssql/index.html.md
+++ b/website/source/docs/secrets/mssql/index.html.md
@@ -1,21 +1,19 @@
 ---
 layout: "docs"
-page_title: "MSSQL Secret Backend"
+page_title: "MSSQL - Secrets Engines"
 sidebar_current: "docs-secrets-mssql"
 description: |-
-  The MSSQL secret backend for Vault generates database credentials to access Microsoft Sql Server.
+  The MSSQL secrets engine for Vault generates database credentials to access Microsoft Sql Server.
 ---
 
-# MSSQL Secret Backend
+# MSSQL Secrets Engine
 
-Name: `mssql`
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the documentation for
+the new implementation of this secrets engine at
+[MSSQL database plugin](/docs/secrets/databases/mssql.html).
 
-~> **Deprecation Note:** This backend is deprecated in favor of the
-combined databases backend added in v0.7.1. See the documentation for
-the new implementation of this backend at
-[MSSQL Database Plugin](/docs/secrets/databases/mssql.html).
-
-The MSSQL secret backend for Vault generates database credentials
+The MSSQL secrets engine for Vault generates database credentials
 dynamically based on configured roles. This means that services that need
 to access a database no longer need to hardcode credentials: they can request
 them from Vault, and use Vault's leasing mechanism to more easily roll keys.
@@ -28,17 +26,17 @@ instance of a service based on the SQL username.
 Vault makes use of its own internal revocation system to ensure that users
 become invalid within a reasonable time of the lease expiring.
 
-This page will show a quick start for this backend. For detailed documentation
-on every path, use `vault path-help` after mounting the backend.
+This page will show a quick start for this secrets engine. For detailed documentation
+on every path, use `vault path-help` after mounting the secrets engine.
 
 ## Quick Start
 
-The first step to using the mssql backend is to mount it.
-Unlike the `kv` backend, the `mssql` backend is not mounted by default.
+The first step to using the mssql secrets engine is to mount it. Unlike the `kv`
+secrets engine, the `mssql` secrets engine is not mounted by default.
 
 ```
-$ vault mount mssql
-Successfully mounted 'mssql' at 'mssql'!
+$ vault secrets enable mssql
+Success! Enabled the mssql secrets engine at: mssql/
 ```
 
 Next, we must configure Vault to know how to connect to the MSSQL
@@ -96,11 +94,12 @@ To generate a new set of credentials, we simply read from that role:
 
 ```
 $ vault read mssql/creds/readonly
-Key           	Value
-lease_id      	mssql/creds/readonly/cdf23ac8-6dbd-4bf9-9919-6acaaa86ba6c
-lease_duration	3600
-password      	ee202d0d-e4fd-4410-8d14-2a78c5c8cb76
-username      	root-a147d529-e7d6-4a16-8930-4c3e72170b19
+Key               Value
+---               -----
+lease_id          mssql/creds/readonly/cdf23ac8-6dbd-4bf9-9919-6acaaa86ba6c
+lease_duration    3600
+password          ee202d0d-e4fd-4410-8d14-2a78c5c8cb76
+username          root-a147d529-e7d6-4a16-8930-4c3e72170b19
 ```
 
 By reading from the `creds/readonly` path, Vault has generated a new
@@ -108,13 +107,13 @@ set of credentials using the `readonly` role configuration. Here we
 see the dynamically generated username and password, along with a one
 hour lease.
 
-Using ACLs, it is possible to restrict using the mssql backend such
+Using ACLs, it is possible to restrict using the mssql secrets engine such
 that trusted operators can manage the role definitions, and both
 users and applications are restricted in the credentials they are
 allowed to read.
 
 ## API
 
-The MSSQL secret backend has a full HTTP API. Please see the
-[MSSQL secret backend API](/api/secret/mssql/index.html) for more
+The MSSQL secrets engine has a full HTTP API. Please see the
+[MSSQL secrets engine API](/api/secret/mssql/index.html) for more
 details.
diff --git a/website/source/docs/secrets/mysql/index.html.md b/website/source/docs/secrets/mysql/index.html.md
index cf970c95d..961998e40 100644
--- a/website/source/docs/secrets/mysql/index.html.md
+++ b/website/source/docs/secrets/mysql/index.html.md
@@ -1,21 +1,21 @@
 ---
 layout: "docs"
-page_title: "MySQL Secret Backend"
+page_title: "MySQL - Secrets Engines"
 sidebar_current: "docs-secrets-mysql"
 description: |-
-  The MySQL secret backend for Vault generates database credentials to access MySQL.
+  The MySQL secrets engine for Vault generates database credentials to access MySQL.
 ---
 
-# MySQL Secret Backend
+# MySQL Secrets Engine
 
 Name: `mysql`
 
-~> **Deprecation Note:** This backend is deprecated in favor of the
-combined databases backend added in v0.7.1. See the documentation for
-the new implementation of this backend at
-[MySQL/MariaDB Database Plugin](/docs/secrets/databases/mysql-maria.html).
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the documentation for
+the new implementation of this secrets engine at
+[MySQL/MariaDB database plugin](/docs/secrets/databases/mysql-maria.html).
 
-The MySQL secret backend for Vault generates database credentials
+The MySQL secrets engine for Vault generates database credentials
 dynamically based on configured roles. This means that services that need
 to access a database no longer need to hardcode credentials: they can request
 them from Vault, and use Vault's leasing mechanism to more easily roll keys.
@@ -28,17 +28,17 @@ instance of a service based on the SQL username.
 Vault makes use of its own internal revocation system to ensure that users
 become invalid within a reasonable time of the lease expiring.
 
-This page will show a quick start for this backend. For detailed documentation
-on every path, use `vault path-help` after mounting the backend.
+This page will show a quick start for this secrets engine. For detailed documentation
+on every path, use `vault path-help` after mounting the secrets engine.
 
 ## Quick Start
 
-The first step to using the mysql backend is to mount it.
-Unlike the `kv` backend, the `mysql` backend is not mounted by default.
+The first step to using the mysql secrets engine is to mount it. Unlike the `kv`
+secrets engine, the `mysql` secrets engine is not mounted by default.
 
 ```
-$ vault mount mysql
-Successfully mounted 'mysql' at 'mysql'!
+$ vault secrets enable mysql
+Success! Enabled the mysql secrets engine at: mysql/
 ```
 
 Next, we must configure Vault to know how to connect to the MySQL
@@ -95,11 +95,12 @@ To generate a new set of credentials, we simply read from that role:
 
 ```
 $ vault read mysql/creds/readonly
-Key           	Value
-lease_id      	mysql/creds/readonly/bd404e98-0f35-b378-269a-b7770ef01897
-lease_duration	3600
-password      	132ae3ef-5a64-7499-351e-bfe59f3a2a21
-username      	readonly-aefa635a-18
+Key               Value
+---               -----
+lease_id          mysql/creds/readonly/bd404e98-0f35-b378-269a-b7770ef01897
+lease_duration    3600
+password          132ae3ef-5a64-7499-351e-bfe59f3a2a21
+username          readonly-aefa635a-18
 ```
 
 By reading from the `creds/readonly` path, Vault has generated a new
@@ -107,7 +108,7 @@ set of credentials using the `readonly` role configuration. Here we
 see the dynamically generated username and password, along with a one
 hour lease.
 
-Using ACLs, it is possible to restrict using the mysql backend such
+Using ACLs, it is possible to restrict using the mysql secrets engine such
 that trusted operators can manage the role definitions, and both
 users and applications are restricted in the credentials they are
 allowed to read.
@@ -124,6 +125,6 @@ the default on versions prior to that.
 
 ## API
 
-The MySQL secret backend has a full HTTP API. Please see the
-[MySQL secret backend API](/api/secret/mysql/index.html) for more
+The MySQL secrets engine has a full HTTP API. Please see the
+[MySQL secrets engine API](/api/secret/mysql/index.html) for more
 details.
diff --git a/website/source/docs/secrets/pki/index.html.md b/website/source/docs/secrets/pki/index.html.md
index 1ac49044a..31bd5dbbd 100644
--- a/website/source/docs/secrets/pki/index.html.md
+++ b/website/source/docs/secrets/pki/index.html.md
@@ -1,42 +1,133 @@
 ---
 layout: "docs"
-page_title: "PKI Secret Backend"
+page_title: "PKI - Secrets Engines"
 sidebar_current: "docs-secrets-pki"
 description: |-
-  The PKI secret backend for Vault generates TLS certificates.
+  The PKI secrets engine for Vault generates TLS certificates.
 ---
 
-# PKI Secret Backend
+# PKI Secrets Engine
 
-Name: `pki`
-
-The PKI secret backend for Vault generates X.509 certificates dynamically based
-on configured roles. This means services can get certificates needed for both
-client and server authentication without going through the usual manual process
-of generating a private key and CSR, submitting to a CA, and waiting for a
-verification and signing process to complete. Vault's built-in authentication
+The PKI secrets engine generates dynamic X.509 certificates. With this secrets
+engine, services can get certificates without going through the usual manual
+process of generating a private key and CSR, submitting to a CA, and waiting for
+a verification and signing process to complete. Vault's built-in authentication
 and authorization mechanisms provide the verification functionality.
 
 By keeping TTLs relatively short, revocations are less likely to be needed,
-keeping CRLs short and helping the backend scale to large workloads. This in
-turn allows each instance of a running application to have a unique
+keeping CRLs short and helping the secrets engine scale to large workloads. This
+in turn allows each instance of a running application to have a unique
 certificate, eliminating sharing and the accompanying pain of revocation and
 rollover.
 
-In addition, by allowing revocation to mostly be forgone, this backend allows
-for ephemeral certificates; certificates can be fetched and stored in memory
-upon application startup and discarded upon shutdown, without ever being
+In addition, by allowing revocation to mostly be forgone, this secrets engine
+allows for ephemeral certificates. Certificates can be fetched and stored in
+memory upon application startup and discarded upon shutdown, without ever being
 written to disk.
 
-This page will show a quick start for this backend. For detailed documentation
-on every path, use `vault path-help` after mounting the backend.
+## Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+1. Enable the PKI secrets engine:
+
+    ```text
+    $ vault secrets enable pki
+    Success! Enabled the pki secrets engine at: pki/
+    ```
+
+    By default, the secrets engine will mount at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+
+1. Increase the TTL by tuning the secrets engine. The default value of 30 days may be too short, so increase it to 1 year:
+
+    ```text
+    $ vault secrets tune -max-lease-ttl=8760h pki
+    Success! Tuned the secrets engine at: pki/
+    ```
+
+    Note that individual roles can restrict this value to be shorter on a
+    per-certificate basis. This just configures the global maximum for this
+    secrets engine.
+
+1. Configure a CA certificate and private key. Vault can accept an existing key
+pair, or it can generate its own self-signed root. In general, we recommend
+maintaining your root CA outside of Vault and providing Vault a signed
+intermediate CA.
+
+    ```text
+    $ vault write pki/root/generate/internal \
+        common_name=my-website.com \
+        ttl=8760h
+
+    Key              Value
+    ---              -----
+    certificate      -----BEGIN CERTIFICATE-----...
+    expiration       1536807433
+    issuing_ca       -----BEGIN CERTIFICATE-----...
+    serial_number    7c:f1:fb:2c:6e:4d:99:0e:82:1b:08:0a:81:ed:61:3e:1d:fa:f5:29
+    ```
+
+    The returned certificate is purely informative. The private key is safely
+    stored internally in Vault.
+
+1. Update the CRL location and issuing certificates. These values can be updated
+in the future.
+
+    ```text
+    $ vault write pki/config/urls \
+        issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" \
+        crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
+    Success! Data written to: pki/config/urls
+    ```
+
+1. Configure a role that maps a name in Vault to a procedure for generating a
+certificate. When users or machines generate credentials, they are generated
+against this role:
+
+    ```text
+    $ vault write pki/roles/my-role \
+        allowed_domains=my-website.com \
+        allow_subdomains=true \
+        max_ttl=72h
+    Success! Data written to: pki/roles/my-role
+    ```
+
+## Usage
+
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
+
+1. Generate a new credential by writing to the `/issue` endpoint with the name
+of the role:
+
+    ```text
+    $ vault write pki/issue/my-role \
+        common_name=www.my-website.com
+
+    Key                 Value
+    ---                 -----
+    certificate         -----BEGIN CERTIFICATE-----...
+    issuing_ca          -----BEGIN CERTIFICATE-----...
+    private_key         -----BEGIN RSA PRIVATE KEY-----...
+    private_key_type    rsa
+    serial_number       1d:2e:c6:06:45:18:60:0e:23:d6:c5:17:43:c0:fe:46:ed:d1:50:be
+    ```
+
+    The output will include a dynamically generated private key and certificate
+    which corresponds to the given role and expires in 72h (as dictated by our
+    role definition). The issuing CA and trust chain is also returned for
+    automation simplicity.
 
 ## Considerations
 
-To successfully deploy this backend, there are a number of important
+To successfully deploy this secrets engine, there are a number of important
 considerations to be aware of, as well as some preparatory steps that should be
-undertaken. You should read all of these *before* using this backend or
-generating the CA to use with this backend.
+undertaken. You should read all of these *before* using this secrets engine or
+generating the CA to use with this secrets engine.
 
 ### Be Careful with Root CAs
 
@@ -46,342 +137,86 @@ Vault, don't put it in Vault as well; instead, issue a shorter-lived
 intermediate CA certificate and put this into Vault. This aligns with industry
 best practices.
 
-Since 0.4, the backend supports generating self-signed root CAs and creating
-and signing CSRs for intermediate CAs. In each instance, for security reasons,
-the private key can *only* be exported at generation time, and the ability to
-do so is part of the command path (so it can be put into ACL policies).
+Since 0.4, the secrets engine supports generating self-signed root CAs and
+creating and signing CSRs for intermediate CAs. In each instance, for security
+reasons, the private key can *only* be exported at generation time, and the
+ability to do so is part of the command path (so it can be put into ACL
+policies).
 
 If you plan on using intermediate CAs with Vault, it is suggested that you let
 Vault create CSRs and do not export the private key, then sign those with your
-root CA (which may be a second mount of the `pki` backend).
+root CA (which may be a second mount of the `pki` secrets engine).
 
-### One CA Certificate, One Backend
+### One CA Certificate, One Secrets Engine
 
 In order to vastly simplify both the configuration and codebase of the PKI
-backend, only one CA certificate is allowed per backend. If you want to issue
-certificates from multiple CAs, mount the PKI backend at multiple mount points
-with separate CA certificates in each.
+secrets engine, only one CA certificate is allowed per secrets engine. If you
+want to issue certificates from multiple CAs, mount the PKI secrets engine at
+multiple mount points with separate CA certificates in each.
 
 This also provides a convenient method of switching to a new CA certificate
-while keeping CRLs valid from the old CA certificate; simply mount a new
-backend and issue from there.
+while keeping CRLs valid from the old CA certificate; simply mount a new secrets
+engine and issue from there.
 
 A common pattern is to have one mount act as your root CA and to use this CA
 only to sign intermediate CA CSRs from other PKI mounts.
 
 ### Keep certificate lifetimes short, for CRL's sake
 
-This backend aligns with Vault's philosophy of short-lived secrets. As such it
-is not expected that CRLs will grow large; the only place a private key is ever
-returned is to the requesting client (this backend does *not* store generated
-private keys, except for CA certificates). In most cases, if the key is lost,
-the certificate can simply be ignored, as it will expire shortly.
+This secrets engine aligns with Vault's philosophy of short-lived secrets. As
+such it is not expected that CRLs will grow large; the only place a private key
+is ever returned is to the requesting client (this secrets engine does *not*
+store generated private keys, except for CA certificates). In most cases, if the
+key is lost, the certificate can simply be ignored, as it will expire shortly.
 
-If a certificate must truly be revoked, the normal Vault revocation function
-can be used; alternately a root token can be used to revoke the certificate
-using the certificate's serial number. Any revocation action will cause the CRL
-to be regenerated. When the CRL is regenerated, any expired certificates are
-removed from the CRL (and any revoked, expired certificate are removed from
-backend storage).
+If a certificate must truly be revoked, the normal Vault revocation function can
+be used; alternately a root token can be used to revoke the certificate using
+the certificate's serial number. Any revocation action will cause the CRL to be
+regenerated. When the CRL is regenerated, any expired certificates are removed
+from the CRL (and any revoked, expired certificate are removed from secrets
+engine storage).
 
-This backend does not support multiple CRL endpoints with sliding date windows;
-often such mechanisms will have the transition point a few days apart, but this
-gets into the expected realm of the actual certificate validity periods issued
-from this backend. A good rule of thumb for this backend would be to simply not
-issue certificates with a validity period greater than your maximum comfortable
-CRL lifetime. Alternately, you can control CRL caching behavior on the client
-to ensure that checks happen more often.
+This secrets engine does not support multiple CRL endpoints with sliding date
+windows; often such mechanisms will have the transition point a few days apart,
+but this gets into the expected realm of the actual certificate validity periods
+issued from this secrets engine. A good rule of thumb for this secrets engine
+would be to simply not issue certificates with a validity period greater than
+your maximum comfortable CRL lifetime. Alternately, you can control CRL caching
+behavior on the client to ensure that checks happen more often.
 
 Often multiple endpoints are used in case a single CRL endpoint is down so that
-clients don't have to figure out what to do with a lack of response. Run Vault
-in HA mode, and the CRL endpoint should be available even if a particular node
+clients don't have to figure out what to do with a lack of response. Run Vault in HA mode, and the CRL endpoint should be available even if a particular node
 is down.
 
 ### You must configure issuing/CRL/OCSP information *in advance*
 
-This backend serves CRLs from a predictable location, but it is not possible
-for the backend to know where it is running. Therefore, you must configure
-desired URLs for the issuing certificate, CRL distribution points, and OCSP
-servers manually using the `config/urls` endpoint. It is supported to have more
-than one of each of these by passing in the multiple URLs as a comma-separated
-string parameter.
+This secrets engine serves CRLs from a predictable location, but it is not
+possible for the secrets engine to know where it is running. Therefore, you must
+configure desired URLs for the issuing certificate, CRL distribution points, and
+OCSP servers manually using the `config/urls` endpoint. It is supported to have
+more than one of each of these by passing in the multiple URLs as a
+comma-separated string parameter.
 
 ### Safe Minimums
 
-Since its inception, this backend has enforced SHA256 for signature hashes
-rather than SHA1. As of 0.5.1, a minimum of 2048 bits for RSA keys is also
-enforced. Software that can handle SHA256 signatures should also be able to
-handle 2048-bit keys, and 1024-bit keys are considered unsafe and are
-disallowed in the Internet PKI.
+Since its inception, this secrets engine has enforced SHA256 for signature
+hashes rather than SHA1. As of 0.5.1, a minimum of 2048 bits for RSA keys is
+also enforced. Software that can handle SHA256 signatures should also be able to
+handle 2048-bit keys, and 1024-bit keys are considered unsafe and are disallowed
+in the Internet PKI.
 
 ### Token Lifetimes and Revocation
 
 When a token expires, it revokes all leases associated with it. This means that
 long-lived CA certs need correspondingly long-lived tokens, something that is
-easy to forget. Starting with 0.6, root and intermediate CA certs no longer
-have associated leases, to prevent unintended revocation when not using a token
-with a long enough lifetime. To revoke these certificates, use the `pki/revoke`
+easy to forget. Starting with 0.6, root and intermediate CA certs no longer have
+associated leases, to prevent unintended revocation when not using a token with
+a long enough lifetime. To revoke these certificates, use the `pki/revoke`
 endpoint.
 
-## Quick Start
-
-#### Mount the backend
-
-The first step to using the PKI backend is to mount it. Unlike the `kv`
-backend, the `pki` backend is not mounted by default.
-
-```text
-$ vault mount pki
-Successfully mounted 'pki' at 'pki'!
-```
-
-#### Configure a CA certificate
-
-Next, Vault must be configured with a CA certificate and associated private
-key. We'll take advantage of the backend's self-signed root generation support,
-but Vault also supports generating an intermediate CA (with a CSR for signing)
-or setting a PEM-encoded certificate and private key bundle directly into the
-backend.
-
-Generally you'll want a root certificate to only be used to sign CA
-intermediate certificates, but for this example we'll proceed as if you will
-issue certificates directly from the root. As it's a root, we'll want to set a
-long maximum life time for the certificate; since it honors the maximum mount
-TTL, first we adjust that:
-
-```text
-$ vault mount-tune -max-lease-ttl=87600h pki
-Successfully tuned mount 'pki'!
-```
-
-That sets the maximum TTL for secrets issued from the mount to 10 years. (Note
-that roles can further restrict the maximum TTL.)
-
-Now, we generate our root certificate:
-
-```text
-$ vault write pki/root/generate/internal common_name=myvault.com ttl=87600h
-Key             Value
-certificate     -----BEGIN CERTIFICATE-----
-MIIDvTCCAqWgAwIBAgIUAsza+fvOw+Xh9ifYQ0gNN0ruuWcwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTUxMTE5MTYwNDU5WhcNMjUx
-MTE2MTYwNDU5WjAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMUhH4OLf/sa6GuJONGC/CWLY7nDbfH8jAaCKgqV
-eJ81KrmcgP8WPhoFsYHFQEQXQZcrJagwYfm19jYn3CaqrYPbciv9bcWi+ECxZV3x
-Hs/YdCFk7KgDGCci37w+cy6fSB943FKJqqVbvPv0odmq6LvgGGgneznvuvkIrOWG
-qVDrDdvbEZ01XAyzUQJaaiJXExN+6xm1HcBoypCP8ZjjnXHcFQvw2QBItLRU7iUd
-ESFgbrkrSPW3HA6KF0ov2qFMoHTiQ6aM4KaHPmXcFPicugYR9owZfZ4lwWJCqT7j
-EkhokaMgHnvyRScuiRZhQm8ppHZoYsqrc3glfEuxGHkS+0cCAwEAAaOCAQEwgf4w
-DgYDVR0PAQH/BAQDAgGuMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdEwEB/wQF
-MAMBAf8wHQYDVR0OBBYEFLvAbt0eUUOoo7hjKiQM2bRqDKrZMB8GA1UdIwQYMBaA
-FLvAbt0eUUOoo7hjKiQM2bRqDKrZMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcw
-AoYfaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraS9jYTAWBgNVHREEDzANggtt
-eXZhdWx0LmNvbTAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vMTI3LjAuMC4xOjgy
-MDAvdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAVSgIRl6XJs95D7iXGzeQ
-Ab8OIei779k0pD7xxS/+knY3TM6733zL/LXs4BEL3wfcQWoDrMtCW0Ook455sAOE
-PSnTaZYQSH/F74VawWhSee4ZyiWq+sTUI4IzqYG3IS36mCyb0t6RxEb3aoQ87WHs
-BHIB6uWbj6WoGHYM8ESxY89aY9jnX3xSs1HuluVW1uPrpIoa/eudpyV40Y1+9RNM
-6fCX5LHGM7vKYxqvudYe+7G1MdKVBQg17h6XuieiUswVt2/HvDlNr+9DHrUla9Ve
-Ig43v+grirlG7DrAr6Aiu/MVWKJP6CvNwG/XzrGaqd6KqSsE+8oIGR9tCTuPxI6v
-SQ==
------END CERTIFICATE-----
-expiration      1.763309099e+09
-issuing_ca      -----BEGIN CERTIFICATE-----
-MIIDvTCCAqWgAwIBAgIUAsza+fvOw+Xh9ifYQ0gNN0ruuWcwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLbXl2YXVsdC5jb20wHhcNMTUxMTE5MTYwNDU5WhcNMjUx
-MTE2MTYwNDU5WjAWMRQwEgYDVQQDEwtteXZhdWx0LmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMUhH4OLf/sa6GuJONGC/CWLY7nDbfH8jAaCKgqV
-eJ81KrmcgP8WPhoFsYHFQEQXQZcrJagwYfm19jYn3CaqrYPbciv9bcWi+ECxZV3x
-Hs/YdCFk7KgDGCci37w+cy6fSB943FKJqqVbvPv0odmq6LvgGGgneznvuvkIrOWG
-qVDrDdvbEZ01XAyzUQJaaiJXExN+6xm1HcBoypCP8ZjjnXHcFQvw2QBItLRU7iUd
-ESFgbrkrSPW3HA6KF0ov2qFMoHTiQ6aM4KaHPmXcFPicugYR9owZfZ4lwWJCqT7j
-EkhokaMgHnvyRScuiRZhQm8ppHZoYsqrc3glfEuxGHkS+0cCAwEAAaOCAQEwgf4w
-DgYDVR0PAQH/BAQDAgGuMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdEwEB/wQF
-MAMBAf8wHQYDVR0OBBYEFLvAbt0eUUOoo7hjKiQM2bRqDKrZMB8GA1UdIwQYMBaA
-FLvAbt0eUUOoo7hjKiQM2bRqDKrZMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcw
-AoYfaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraS9jYTAWBgNVHREEDzANggtt
-eXZhdWx0LmNvbTAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vMTI3LjAuMC4xOjgy
-MDAvdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAVSgIRl6XJs95D7iXGzeQ
-Ab8OIei779k0pD7xxS/+knY3TM6733zL/LXs4BEL3wfcQWoDrMtCW0Ook455sAOE
-PSnTaZYQSH/F74VawWhSee4ZyiWq+sTUI4IzqYG3IS36mCyb0t6RxEb3aoQ87WHs
-BHIB6uWbj6WoGHYM8ESxY89aY9jnX3xSs1HuluVW1uPrpIoa/eudpyV40Y1+9RNM
-6fCX5LHGM7vKYxqvudYe+7G1MdKVBQg17h6XuieiUswVt2/HvDlNr+9DHrUla9Ve
-Ig43v+grirlG7DrAr6Aiu/MVWKJP6CvNwG/XzrGaqd6KqSsE+8oIGR9tCTuPxI6v
-SQ==
------END CERTIFICATE-----
-serial_number   02:cc:da:f9:fb:ce:c3:e5:e1:f6:27:d8:43:48:0d:37:4a:ee:b9:67
-```
-
-The returned certificate is purely informational; it and its private key are
-safely stored in the backend mount.
-
-#### Set URL configuration
-
-Generated certificates can have the CRL location and the location of the
-issuing certificate encoded. These values must be set manually, but can be
-changed at any time.
-
-```text
-$ vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
-Success! Data written to: pki/ca/urls
-```
-
-#### Configure a role
-
-The next step is to configure a role. A role is a logical name that maps to a
-policy used to generate those credentials. For example, let's create an
-"example-dot-com" role:
-
-```text
-$ vault write pki/roles/example-dot-com \
-    allowed_domains="example.com" \
-    allow_subdomains="true" max_ttl="72h"
-Success! Data written to: pki/roles/example-dot-com
-```
-
-#### Generate credentials
-
-By writing to the `roles/example-dot-com` path we are defining the
-`example-dot-com` role. To generate a new set of credentials, we simply write
-to the `issue` endpoint with that role name: Vault is now configured to create
-and manage certificates!
-
-```text
-$ vault write pki/issue/example-dot-com \
-    common_name=blah.example.com
-Key             	Value
----             	-----
-lease_id        	pki/issue/example-dot-com/6d8ab3e2-ce31-8821-81e4-740a498af51d
-lease_duration  	259199
-lease_renewable 	false
-certificate     	-----BEGIN CERTIFICATE-----
-MIIDbDCCAlSgAwIBAgIUPiAyxq+nIE6xlWf7hrzLkPQxtvMwDQYJKoZIhvcNAQEL
-BQAwMzExMC8GA1UEAxMoVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3ViIEF1
-dGhvcml0eTAeFw0xNjA5MjcwMDA5MTNaFw0xNjA5MjcwMTA5NDNaMBsxGTAXBgNV
-BAMTEGJsYWguZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQDJAYB04IVdmSC/TimaA6BbXlvgBTZHL5wBUTmO4iHhenL0eDEXVe2Fd7Yq
-75LiBJmcC96hKbqh5rwS8KwN9ElZI52/mSMC+IvoNlYHAf7shwfsjrVx3q7/bTFg
-lz6wECn1ugysxynmMvgQD/pliRkxTQ7RMh4Qlh75YG3R9BHy9ZddklZp0aNaitts
-0uufHnN1UER/wxBCZdWTUu34KDL9I6yE7Br0slKKHPdEsGlFcMkbZhvjslZ7DGvO
-974S0qtOdKiawJZbpNPg0foGZ3AxesDUlkHmmgzUNes/sjknDYTHEfeXM6Uap0j6
-XvyhCxqdeahb/Vtibg0z9I0IusJbAgMBAAGjgY8wgYwwDgYDVR0PAQH/BAQDAgOo
-MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU/5oy0rL7
-TT0wX7KZK7qcXqgayNwwHwYDVR0jBBgwFoAUgM37P8oXmA972ztLfw+b1eIY5now
-GwYDVR0RBBQwEoIQYmxhaC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
-CT2vI6/taeLTw6ZulUhLXEXYXWZu1gF8n2COjZzbZXmHxQAoZ3GtnSNwacPHAyIj
-f3cA9Moo552y39LUtWk+wgFtQokWGK7LXglLaveNUBowOHq/xk0waiIinJcgTG53
-Z/qnbJnTjAOG7JwVJplWUIiS1avCksrHt7heE2EGRGJALqyLZ119+PW6ogtCLUv1
-X8RCTw/UkIF/LT+sLF0bXWy4Hn38Gjwj1MVv1l76cEGOVSHyrYkN+6AMnAP58L5+
-IWE9tN3oac4x7jhbuNpfxazIJ8Q6l/Up5U5Evfbh6N1DI0/gFCP20fMBkHwkuLfZ
-2ekZoSeCgFRDlHGkr7Vv9w==
------END CERTIFICATE-----
-issuing_ca      	-----BEGIN CERTIFICATE-----
-MIIDijCCAnKgAwIBAgIUB28DoGwgGFKL7fbOu9S4FalHLn0wDQYJKoZIhvcNAQEL
-BQAwLzEtMCsGA1UEAxMkVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgQXV0aG9y
-aXR5MB4XDTE2MDkyNzAwMDgyMVoXDTI2MDkxNjE2MDg1MVowMzExMC8GA1UEAxMo
-VmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3ViIEF1dGhvcml0eTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOSCiSij4wy1wiMwvZt+rtU3IaO6ZTn9
-LfIPuGsR5/QSJk37pCZQco1LgoE/rTl+/xu3bDovyHDmgObghC6rzVOX2Tpi7kD+
-DOZpqxOsaS8ebYgxB/XJTSxyEJuSAcpSNLqqAiZivuQXdaD0N7H3Or0awwmKE9mD
-I0g8CF4fPDmuuOG0ASn9fMqXVVt5tXtEqZ9yJYfNOXx3FOPjRVOZf+kvSc31wCKe
-i/KmR0AQOmToKMzq988nLqFPTi9KZB8sEU20cGFeTQFol+m3FTcIru94EPD+nLUn
-xtlLELVspYb/PP3VpvRj9b+DY8FGJ5nfSJl7Rkje+CD4VxJpSadin3kCAwEAAaOB
-mTCBljAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
-gM37P8oXmA972ztLfw+b1eIY5nowHwYDVR0jBBgwFoAUj4YAIxRwrBy0QMRKLnD0
-kVidIuYwMwYDVR0RBCwwKoIoVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3Vi
-IEF1dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAQEAA4buJuPNJvA1kiATLw1dVU2J
-HPubk2Kp26Mg+GwLn7Vz45Ub133JCYfF3/zXLFZZ5Yub9gWTtjScrvNfQTAbNGdQ
-BdnUlMmIRmfB7bfckhryR2R9byumeHATgNKZF7h8liNHI7X8tTzZGs6wPdXOLlzR
-TlM3m1RNK8pbSPOkfPb06w9cBRlD8OAbNtJmuypXA6tYyiiMYBhP0QLAO3i4m1ns
-aAjAgEjtkB1rQxW5DxoTArZ0asiIdmIcIGmsVxfDQIjFlRxAkafMs74v+5U5gbBX
-wsOledU0fLl8KLq8W3OXqJwhGLK65fscrP0/omPAcFgzXf+L4VUADM4XhW6Xyg==
------END CERTIFICATE-----
-ca_chain        	[-----BEGIN CERTIFICATE-----
-MIIDijCCAnKgAwIBAgIUB28DoGwgGFKL7fbOu9S4FalHLn0wDQYJKoZIhvcNAQEL
-BQAwLzEtMCsGA1UEAxMkVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgQXV0aG9y
-aXR5MB4XDTE2MDkyNzAwMDgyMVoXDTI2MDkxNjE2MDg1MVowMzExMC8GA1UEAxMo
-VmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3ViIEF1dGhvcml0eTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOSCiSij4wy1wiMwvZt+rtU3IaO6ZTn9
-LfIPuGsR5/QSJk37pCZQco1LgoE/rTl+/xu3bDovyHDmgObghC6rzVOX2Tpi7kD+
-DOZpqxOsaS8ebYgxB/XJTSxyEJuSAcpSNLqqAiZivuQXdaD0N7H3Or0awwmKE9mD
-I0g8CF4fPDmuuOG0ASn9fMqXVVt5tXtEqZ9yJYfNOXx3FOPjRVOZf+kvSc31wCKe
-i/KmR0AQOmToKMzq988nLqFPTi9KZB8sEU20cGFeTQFol+m3FTcIru94EPD+nLUn
-xtlLELVspYb/PP3VpvRj9b+DY8FGJ5nfSJl7Rkje+CD4VxJpSadin3kCAwEAAaOB
-mTCBljAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
-gM37P8oXmA972ztLfw+b1eIY5nowHwYDVR0jBBgwFoAUj4YAIxRwrBy0QMRKLnD0
-kVidIuYwMwYDVR0RBCwwKoIoVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3Vi
-IEF1dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAQEAA4buJuPNJvA1kiATLw1dVU2J
-HPubk2Kp26Mg+GwLn7Vz45Ub133JCYfF3/zXLFZZ5Yub9gWTtjScrvNfQTAbNGdQ
-BdnUlMmIRmfB7bfckhryR2R9byumeHATgNKZF7h8liNHI7X8tTzZGs6wPdXOLlzR
-TlM3m1RNK8pbSPOkfPb06w9cBRlD8OAbNtJmuypXA6tYyiiMYBhP0QLAO3i4m1ns
-aAjAgEjtkB1rQxW5DxoTArZ0asiIdmIcIGmsVxfDQIjFlRxAkafMs74v+5U5gbBX
-wsOledU0fLl8KLq8W3OXqJwhGLK65fscrP0/omPAcFgzXf+L4VUADM4XhW6Xyg==
------END CERTIFICATE----- -----BEGIN CERTIFICATE-----
-MIIDejCCAmKgAwIBAgIUDXJyQ1uJPF5ridDOCvGtVF1F8HUwDQYJKoZIhvcNAQEL
-BQAwJzElMCMGA1UEAxMcVmF1bHQgVGVzdGluZyBSb290IEF1dGhvcml0eTAeFw0x
-NjA5MjcwMDA4MjBaFw0yNjA5MjAyMDA4NTBaMC8xLTArBgNVBAMTJFZhdWx0IFRl
-c3RpbmcgSW50ZXJtZWRpYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAKHsRTw3aShwDTbywK7AeXNvz7IrmdOLAsd+svDdIUn/4kWQ
-lAy4uXYncQc/V9bqLjza3tflK7otXT+V5GjbK+WpW5WSp8LkVhKdLRWOnPWJEC+B
-nOucmLR0mFQF1W4Bfx0fYYCLdN/YbjSevPmA0UzlIN/pdQQoxUIvraTHPNBar94K
-zmlMu06qAvl27LXYUE3nAhQaRGq4M39WbAUtRsNKaTU72qTpMsstpnBB1QBT2m2U
-44twFpXZAgfR/hSqcA4NegPWmB5l+E2GhYfihOhVcnFaH2tgXb4MOMUyRH1hNdgZ
-28K5G1ILt2+Rp+NSosA0LI3pV490SJfAxuc0tsUCAwEAAaOBlTCBkjAOBgNVHQ8B
-Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUj4YAIxRwrBy0QMRK
-LnD0kVidIuYwHwYDVR0jBBgwFoAULNIU30rP+wMVelJMFNyDtxgtq04wLwYDVR0R
-BCgwJoIkVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgQXV0aG9yaXR5MA0GCSqG
-SIb3DQEBCwUAA4IBAQCOjH2n8H1Q5KpaWTm378FKd2YY1nzI/nCwjAQX96VcJUrZ
-W1ofPsTcCASQKwo3HC2ayV46DMiKoJWI+xOux2N+S9uVd+SC4ZloFzSER8cCDRRk
-huVra+cAaljnkJVb4Ojv6vHnXljx9NrcW6KzJzwMf1HzewyG+P1EjD4/kcA5r0Gw
-vuzGXMXmjMATf0LZlklDOHkNLtvnLS8axbXI05TlHIj9y9Y+aQyFYebwip+ZXYju
-pIJFswrsCk5e2G6+UmhV81JH29IvjBi4POgqm2+mrGz5xS/i6flcs/8pn01jlDpC
-knj9MxY9j42z2BKkhHayyuOa0BQm0TTu4S2fhajl
------END CERTIFICATE-----]
-private_key     	-----BEGIN RSA PRIVATE KEY-----
-MIIEpgIBAAKCAQEAyQGAdOCFXZkgv04pmgOgW15b4AU2Ry+cAVE5juIh4Xpy9Hgx
-F1XthXe2Ku+S4gSZnAveoSm6oea8EvCsDfRJWSOdv5kjAviL6DZWBwH+7IcH7I61
-cd6u/20xYJc+sBAp9boMrMcp5jL4EA/6ZYkZMU0O0TIeEJYe+WBt0fQR8vWXXZJW
-adGjWorbbNLrnx5zdVBEf8MQQmXVk1Lt+Cgy/SOshOwa9LJSihz3RLBpRXDJG2Yb
-47JWewxrzve+EtKrTnSomsCWW6TT4NH6BmdwMXrA1JZB5poM1DXrP7I5Jw2ExxH3
-lzOlGqdI+l78oQsanXmoW/1bYm4NM/SNCLrCWwIDAQABAoIBAQCCbHMJY1Wl8eIJ
-v5HG2WuHXaaHqVoavo2fXTDXwWryfx1v+zz/Q0YnQBH3shPAi/OQCTOfpw/uVWTb
-dUZul3+wUyfcVmUdXGCLgBY53dWna8Z8e+zHwhISsqtDXV/TpelUBDCNO324XIIR
-Cg0TLO4nyzQ+ESLo6D+Y2DTp8lBjMEkmKTd8CLXR2ycEoVykN98qPZm8keiLGO91
-I8K7aRd8uOyQ6HUfJRlzFHSuwaLReErxGTEPI4t/wVqh2nP2gGBsn3apiJ0ul6Jz
-NlYO5PqiwpeDk4ibhQBpicnm1jnEcynH/WtGuKgMNB0M4SBRBsEguO7WoKx3o+qZ
-iVIaPWDhAoGBAO05UBvyJpAcz/ZNQlaF0EAOhoxNQ3h6+6ZYUE52PgZ/DHftyJPI
-Y+JJNclY91wn91Yk3ROrDi8gqhzA+2Lelxo1kuZDu+m+bpzhVUdJia7tZDNzRIhI
-24eP2GdochooOZ0qjvrik4kuX43amBhQ4RHsBjmX5CnUlL5ZULs8v2xnAoGBANjq
-VLAwiIIqJZEC6BuBvVYKaRWkBCAXvQ3j/OqxHRYu3P68PZ58Q7HrhrCuyQHTph2v
-fzfmEMPbSCrFIrrMRmjUG8wopL7GjZjFl8HOBHFwzFiz+CT5DEC+IJIRkp4HM8F/
-PAzjB2wCdRdSjLTD5ph0/xQIg5xfln7D+wqU0QHtAoGBAKkLF0/ivaIiNftw0J3x
-WxXag/yErlizYpIGCqvuzII6lLr9YdoViT/eJYrmb9Zm0HS9biCu2zuwDijRSBIL
-RieyF40opUaKoi3+0JMtDwTtO2MCd8qaCH3QfkgqAG0tTuj1Q8/6F2JA/myKYamq
-MMhhpYny9+7rAlemM8ZJIqtvAoGBAKOI3zpKDNCdd98A4v7B7H2usZUIJ7gOTZDo
-XqiNyRENWb2PK6GNq/e6SrxvuclvyKA+zFnXULJoYtsj7tAH69lieGaOCc5uoRgZ
-eBU7/euMj/McE6vEO3GgJawaJYCQi3uJMjvA+bp7i81+hehOfU5ZfmmbFaZSBoMh
-u+U5Vu3tAoGBANnBIbHfD3E7rqnqdpH1oRRHLA1VdghzEKgyUTPHNDzPJG87RY3c
-rRqeXepblud3qFjD60xS9BzcBijOvZ4+KHk6VIMpkyqoeNVFCJbBVCw+JGMp88+v
-e9t+2iwryh5+rnq+pg6anmgwHldptJc1XEFZA2UUQ89RP7kOGQF6IkIS
------END RSA PRIVATE KEY-----
-private_key_type	rsa
-serial_number   	3e:20:32:c6:af:a7:20:4e:b1:95:67:fb:86:bc:cb:90:f4:31:b6:f3
-```
-
-Vault has now generated a new set of credentials using the `example-dot-com`
-role configuration. Here we see the dynamically generated private key and
-certificate. The issuing CA certificate and CA trust chain is returned as well.
-
-Using ACLs, it is possible to restrict using the pki backend such that trusted
-operators can manage the role definitions, and both users and applications are
-restricted in the credentials they are allowed to read.
-
-If you get stuck at any time, simply run `vault path-help pki` or with a
-subpath for interactive help output.
-
 
 ## API
 
-The PKI secret backend has a full HTTP API. Please see the
-[PKI secret backend API](/api/secret/pki/index.html) for more
+The PKI secrets engine has a full HTTP API. Please see the
+[PKI secrets engine API](/api/secret/pki/index.html) for more
 details.
diff --git a/website/source/docs/secrets/postgresql/index.html.md b/website/source/docs/secrets/postgresql/index.html.md
index 4c4a36362..f11819a36 100644
--- a/website/source/docs/secrets/postgresql/index.html.md
+++ b/website/source/docs/secrets/postgresql/index.html.md
@@ -1,21 +1,21 @@
 ---
 layout: "docs"
-page_title: "PostgreSQL Secret Backend"
+page_title: "PostgreSQL - Secrets Engines"
 sidebar_current: "docs-secrets-postgresql"
 description: |-
-  The PostgreSQL secret backend for Vault generates database credentials to access PostgreSQL.
+  The PostgreSQL secrets engine for Vault generates database credentials to access PostgreSQL.
 ---
 
-# PostgreSQL Secret Backend
+# PostgreSQL Secrets Engine
 
 Name: `postgresql`
 
-~> **Deprecation Note:** This backend is deprecated in favor of the
-combined databases backend added in v0.7.1. See the documentation for
-the new implementation of this backend at
-[PostgreSQL Database Plugin](/docs/secrets/databases/postgresql.html).
+~> **Deprecation Note:** This secrets engine is deprecated in favor of the
+combined databases secrets engine added in v0.7.1. See the documentation for
+the new implementation of this secrets engine at
+[PostgreSQL database plugin](/docs/secrets/databases/postgresql.html).
 
-The PostgreSQL secret backend for Vault generates database credentials
+The PostgreSQL secrets engine for Vault generates database credentials
 dynamically based on configured roles. This means that services that need
 to access a database no longer need to hardcode credentials: they can request
 them from Vault, and use Vault's leasing mechanism to more easily roll keys.
@@ -29,17 +29,17 @@ Vault makes use both of its own internal revocation system as well as the
 `VALID UNTIL` setting when creating PostgreSQL users to ensure that users
 become invalid within a reasonable time of the lease expiring.
 
-This page will show a quick start for this backend. For detailed documentation
-on every path, use `vault path-help` after mounting the backend.
+This page will show a quick start for this secrets engine. For detailed documentation
+on every path, use `vault path-help` after mounting the secrets engine.
 
 ## Quick Start
 
-The first step to using the PostgreSQL backend is to mount it.
-Unlike the `kv` backend, the `postgresql` backend is not mounted by default.
+The first step to using the PostgreSQL secrets engine is to mount it. Unlike the
+`kv` secrets engine, the `postgresql` secrets engine is not mounted by default.
 
 ```text
-$ vault mount postgresql
-Successfully mounted 'postgresql' at 'postgresql'!
+$ vault secrets enable postgresql
+Success! Enabled the postgresql secrets engine at: postgresql/
 ```
 
 Next, Vault must be configured to connect to the PostgreSQL. This is done by
@@ -92,11 +92,12 @@ Vault is now configured to create and manage credentials for Postgres!
 
 ```text
 $ vault read postgresql/creds/readonly
-Key           	Value
-lease_id      	postgresql/creds/readonly/c888a097-b0e2-26a8-b306-fc7c84b98f07
-lease_duration	3600
-password      	34205e88-0de1-68b7-6267-72d8e32c5d3d
-username      	root-1430162075-7887
+Key               Value
+---               -----
+lease_id          postgresql/creds/readonly/c888a097-b0e2-26a8-b306-fc7c84b98f07
+lease_duration    3600
+password          34205e88-0de1-68b7-6267-72d8e32c5d3d
+username          root-1430162075-7887
 ```
 
 By reading from the `creds/readonly` path, Vault has generated a new
@@ -104,7 +105,7 @@ set of credentials using the `readonly` role configuration. Here we
 see the dynamically generated username and password, along with a one
 hour lease.
 
-Using ACLs, it is possible to restrict using the postgresql backend such
+Using ACLs, it is possible to restrict using the postgresql secrets engine such
 that trusted operators can manage the role definitions, and both
 users and applications are restricted in the credentials they are
 allowed to read.
@@ -114,6 +115,6 @@ subpath for interactive help output.
 
 ## API
 
-The PostgreSQL secret backend has a full HTTP API. Please see the
-[PostgreSQL secret backend API](/api/secret/postgresql/index.html) for more
+The PostgreSQL secrets engine has a full HTTP API. Please see the
+[PostgreSQL secrets engine API](/api/secret/postgresql/index.html) for more
 details.
diff --git a/website/source/docs/secrets/rabbitmq/index.html.md b/website/source/docs/secrets/rabbitmq/index.html.md
index 56b99b8db..4a2c0236f 100644
--- a/website/source/docs/secrets/rabbitmq/index.html.md
+++ b/website/source/docs/secrets/rabbitmq/index.html.md
@@ -1,115 +1,97 @@
 ---
 layout: "docs"
-page_title: "RabbitMQ Secret Backend"
+page_title: "RabbitMQ - Secrets Engines"
 sidebar_current: "docs-secrets-rabbitmq"
 description: |-
-  The RabbitMQ secret backend for Vault generates user credentials to access RabbitMQ.
+  The RabbitMQ secrets engine for Vault generates user credentials to access RabbitMQ.
 ---
 
-# RabbitMQ Secret Backend
+# RabbitMQ Secrets Engine
 
-Name: `rabbitmq`
+The RabbitMQ secrets engine generates user credentials dynamically based on
+configured permissions and virtual hosts. This means that services that need to
+access a virtual host no longer need to hardcode credentials.
 
-The RabbitMQ secret backend for Vault generates user credentials dynamically
-based on configured permissions and virtual hosts. This means that services
-that need to access a virtual host no longer need to hardcode credentials:
-they can request them from Vault, and use Vault's leasing mechanism to
-more easily roll users.
-
-Additionally, it introduces a new ability: with every service accessing the
-messaging queue with unique credentials, it makes auditing much easier when
-questionable data access is discovered: you can track it down to the specific
-instance of a service based on the RabbitMQ username.
+With every service accessing the messaging queue with unique credentials,
+auditing is much easier when questionable data access is discovered. Easily
+track issues down to a specific instance of a service based on the RabbitMQ
+username.
 
 Vault makes use both of its own internal revocation system as well as the
-deleting RabbitMQ users when creating RabbitMQ users to ensure that users
-become invalid within a reasonable time of the lease expiring.
+deleting RabbitMQ users when creating RabbitMQ users to ensure that users become
+invalid within a reasonable time of the lease expiring.
 
-This page will show a quick start for this backend. For detailed documentation
-on every path, use `vault path-help` after mounting the backend.
+## Setup
 
-## Quick Start
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
 
-The first step to using the RabbitMQ backend is to mount it. Unlike the
-`kv` backend, the `rabbitmq` backend is not mounted by default.
+1. Enable the RabbitMQ secrets engine:
 
-```text
-$ vault mount rabbitmq
-Successfully mounted 'rabbitmq' at 'rabbitmq'!
-```
+    ```text
+    $ vault secrets enable rabbitmq
+    Success! Enabled the rabbitmq secrets engine at: rabbitmq/
+    ```
 
-Next, Vault must be configured to connect to the RabbitMQ. This is done by
-writing the RabbitMQ management URI, RabbitMQ management administrator user,
-and the user's password.
+    By default, the secrets engine will mount at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
 
-```text
-$ vault write rabbitmq/config/connection \
-    connection_uri="http://localhost:15672" \
-    username="admin" \
-    password="password"
-```
+1. Configure the credentials that Vault uses to communicate with RabbitMQ to
+generate credentials:
 
-In this case, we've configured Vault with the URI "http://localhost:15672",
-user "admin", and password "password" connecting to a local RabbitMQ
-management instance. It is important that the Vault user have the
-administrator privilege to manager users.
+    ```text
+    $ vault write rabbitmq/config/connection \
+        connection_uri="http://localhost:15672" \
+        username="admin" \
+        password="password"
+    Success! Data written to: rabbitmq/config/connection
+    ```
 
-Optionally, we can configure the lease settings for credentials generated
-by Vault. This is done by writing to the `config/lease` key:
+    It is important that the Vault user have the administrator privilege to
+    manager users.
 
-```
-$ vault write rabbitmq/config/lease ttl=3600 max_ttl=86400
-Success! Data written to: rabbitmq/config/lease
-```
 
-This restricts each credential to being valid or leased for 1 hour
-at a time, with a maximum use period of 24 hours. This forces an
-application to renew their credentials at least hourly, and to recycle
-them once per day.
+1. Configure a role that maps a name in Vault to virtual host permissions:
 
-The next step is to configure a role. A role is a logical name that maps
-to tags and virtual host permissions used to generated those credentials.
-For example, lets create a "readwrite" virtual host role:
+    ```text
+    $ vault write rabbitmq/roles/my-role \
+        vhosts='{"/":{"write": ".*", "read": ".*"}}'
+    Success! Data written to: rabbitmq/roles/my-role
+    ```
 
-```text
-$ vault write rabbitmq/roles/readwrite \
-    vhosts='{"/":{"write": ".*", "read": ".*"}}'
-Success! Data written to: rabbitmq/roles/readwrite
-```
+    By writing to the `roles/my-role` path we are defining the `my-role` role.
+    This role will be created by evaluating the given `vhosts` and `tags`
+    statements. By default, no tags and no virtual hosts are assigned to a role.
+    You can read more about [RabbitMQ management tags][rmq-perms].
 
-By writing to the `roles/readwrite` path we are defining the `readwrite` role.
-This role will be created by evaluating the given `vhosts` and `tags` statements.
-By default, no tags and no virtual hosts are assigned to a role. You can read more
-about RabbitMQ management tags [here](https://www.rabbitmq.com/management.html#permissions).
-Configure, write, and read permissions are granted per virtual host.
+## Usage
 
-To generate a new set of credentials, we simply read from that role.
-Vault is now configured to create and manage credentials for RabbitMQ!
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
 
-```text
-$ vault read rabbitmq/creds/readwrite
-lease_id       rabbitmq/creds/readwrite/2740df96-d1c2-7140-c406-77a137fa3ecf
-lease_duration 3600
-lease_renewable	true
-password       e1b6c159-ca63-4c6a-3886-6639eae06c30
-username       root-4b95bf47-281d-dcb5-8a60-9594f8056092
-```
+1. Generate a new credential by reading from the `/creds` endpoint with the name
+of the role:
 
-By reading from the `creds/readwrite` path, Vault has generated a new
-set of credentials using the `readwrite` role configuration. Here we
-see the dynamically generated username and password, along with a one
-hour lease.
+    ```text
+    $ vault read rabbitmq/creds/my-role
+    Key                Value
+    ---                -----
+    lease_id           rabbitmq/creds/my-role/37d70d04-f24d-760a-e06e-b9b21087f0f4
+    lease_duration     768h
+    lease_renewable    true
+    password           a98af72b-b6c9-b4b1-fe37-c73a572befed
+    username           token-590f1fe2-1094-a4d6-01a7-9d4ff756a085
+    ```
 
-Using ACLs, it is possible to restrict using the rabbitmq backend such
-that trusted operators can manage the role definitions, and both
-users and applications are restricted in the credentials they are
-allowed to read.
-
-If you get stuck at any time, simply run `vault path-help rabbitmq` or with a
-subpath for interactive help output.
+    Using ACLs, it is possible to restrict using the rabbitmq secrets engine
+    such that trusted operators can manage the role definitions, and both users
+    and applications are restricted in the credentials they are allowed to read.
 
 ## API
 
-The RabbitMQ secret backend has a full HTTP API. Please see the
-[RabbitMQ secret backend API](/api/secret/rabbitmq/index.html) for more
+The RabbitMQ secrets engine has a full HTTP API. Please see the
+[RabbitMQ secrets engine API](/api/secret/rabbitmq/index.html) for more
 details.
+
+[rmq-perms]: https://www.rabbitmq.com/management.html#permissions
diff --git a/website/source/docs/secrets/ssh/dynamic-ssh-keys.html.md b/website/source/docs/secrets/ssh/dynamic-ssh-keys.html.md
index a77c1df04..93350fe15 100644
--- a/website/source/docs/secrets/ssh/dynamic-ssh-keys.html.md
+++ b/website/source/docs/secrets/ssh/dynamic-ssh-keys.html.md
@@ -1,6 +1,6 @@
 ---
 layout: "docs"
-page_title: "Dynamic SSH Keys - SSH Secret Backend"
+page_title: "Dynamic SSH Keys - SSH - Secrets Engines"
 sidebar_current: "docs-secrets-ssh-dynamic-ssh-keys"
 description: |-
   When using this type, the administrator registers a secret key with
@@ -23,7 +23,7 @@ request, Vault creates a new SSH key pair and appends the newly-generated public
 key to the `authorized_keys` file for the configured username on the remote
 host. Vault uses a configurable install script to achieve this.
 
-The backend does not prompt for `sudo` passwords; the `NOPASSWD` option for
+The secrets engine does not prompt for `sudo` passwords; the `NOPASSWD` option for
 sudoers should be enabled at all remote hosts for the Vault administrative
 user.
 
@@ -35,8 +35,8 @@ audit the SSH session establishments.
 When the credential lease expires, Vault removes the secret key from the remote
 machine.
 
-This page will show a quick start for this backend. For detailed documentation
-on every path, use `vault path-help` after mounting the backend.
+This page will show a quick start for this secrets engine. For detailed documentation
+on every path, use `vault path-help` after mounting the secrets engine.
 
 ### Drawbacks
 
@@ -75,7 +75,7 @@ vaultadmin   ALL=(ALL)NOPASSWD: ALL
 Next, infrastructure configuration must be registered with Vault via roles.
 First, however, the shared secret key must be specified.
 
-### Mount the backend
+### Mount the secrets engine
 
 ```text
 $ vault mount ssh
@@ -189,6 +189,6 @@ username@<IP of remote host>:~$
 
 ## API
 
-The SSH secret backend has a full HTTP API. Please see the
-[SSH secret backend API](/api/secret/ssh/index.html) for more
+The SSH secret secrets engine has a full HTTP API. Please see the
+[SSH secret secrets engine API](/api/secret/ssh/index.html) for more
 details.
diff --git a/website/source/docs/secrets/ssh/index.html.md b/website/source/docs/secrets/ssh/index.html.md
index 124193c96..568d53331 100644
--- a/website/source/docs/secrets/ssh/index.html.md
+++ b/website/source/docs/secrets/ssh/index.html.md
@@ -1,24 +1,24 @@
 ---
 layout: "docs"
-page_title: "SSH Secret Backend"
+page_title: "SSH - Secrets Engines"
 sidebar_current: "docs-secrets-ssh"
 description: |-
-  The Vault SSH secret backend provides secure authentication and authorization
+  The Vault SSH secrets engine provides secure authentication and authorization
   for access to machines via the SSH protocol. There are multiple modes to the
-  Vault SSH backend including signed SSH certificates, dynamic SSH keys, and
-  one-time passwords.
+  Vault SSH secrets engine including signed SSH certificates, dynamic SSH keys,
+  and one-time passwords.
 ---
 
-# SSH Secret Backend
+# SSH Secrets Engine
 
 Name: `ssh`
 
-The Vault SSH secret backend provides secure authentication and authorization
-for access to machines via the SSH protocol. The Vault SSH backend helps manage
-access to machine infrastructure, providing several ways to issue SSH
+The Vault SSH secrets engine provides secure authentication and authorization
+for access to machines via the SSH protocol. The Vault SSH secrets engine helps
+manage access to machine infrastructure, providing several ways to issue SSH
 credentials.
 
-The Vault SSH secret backend supports the following modes. Each mode is
+The Vault SSH secrets engine supports the following modes. Each mode is
 individually documented on its own page.
 
 - [Signed SSH Certificates](/docs/secrets/ssh/signed-ssh-certificates.html)
@@ -29,6 +29,6 @@ All guides assume a basic familiarity with the SSH protocol.
 
 ## API
 
-The SSH secret backend has a full HTTP API. Please see the
-[SSH secret backend API](/api/secret/ssh/index.html) for more
+The SSH secrets engine has a full HTTP API. Please see the
+[SSH secrets engine API](/api/secret/ssh/index.html) for more
 details.
diff --git a/website/source/docs/secrets/ssh/one-time-ssh-passwords.html.md b/website/source/docs/secrets/ssh/one-time-ssh-passwords.html.md
index 4d7d1a862..6c52e75be 100644
--- a/website/source/docs/secrets/ssh/one-time-ssh-passwords.html.md
+++ b/website/source/docs/secrets/ssh/one-time-ssh-passwords.html.md
@@ -1,16 +1,16 @@
 ---
 layout: "docs"
-page_title: "One-Time SSH Passwords (OTP) - SSH Secret Backend"
+page_title: "One-Time SSH Passwords (OTP) - SSH - Secrets Engines"
 sidebar_current: "docs-secrets-ssh-one-time-ssh-passwords"
 description: |-
-  The One-Time SSH Password (OTP) SSH secret backend type allows a Vault server
+  The One-Time SSH Password (OTP) SSH secrets engine type allows a Vault server
   to issue a One-Time Password every time a client wants to SSH into a remote
   host using a helper command on the remote host to perform verification.
 ---
 
 # One-Time SSH Passwords
 
-The One-Time SSH Password (OTP) SSH secret backend type allows a Vault server to
+The One-Time SSH Password (OTP) SSH secrets engine type allows a Vault server to
 issue a One-Time Password every time a client wants to SSH into a remote host
 using a helper command on the remote host to perform verification.
 
@@ -22,23 +22,24 @@ server then deletes this OTP, ensuring that it is only used once.
 
 Since the Vault server is contacted during SSH connection establishment, every
 login attempt and the correlating Vault lease information is logged to the audit
-backend.
+secrets engine.
 
 See [Vault-SSH-Helper](https://github.com/hashicorp/vault-ssh-helper) for
 details on the helper.
 
-This page will show a quick start for this backend. For detailed documentation
-on every path, use `vault path-help` after mounting the backend.
+This page will show a quick start for this secrets engine. For detailed
+documentation on every path, use `vault path-help` after mounting the secrets
+engine.
 
 ### Drawbacks
 
-The main concern with the OTP backend type is the remote host's connection to
-Vault; if compromised, an attacker could spoof the Vault server returning a
-successful request. This risk can be mitigated by using TLS for the connection
-to Vault and checking certificate validity; future enhancements to this backend
-may allow for extra security on top of what TLS provides.
+The main concern with the OTP secrets engine type is the remote host's
+connection to Vault; if compromised, an attacker could spoof the Vault server
+returning a successful request. This risk can be mitigated by using TLS for the
+connection to Vault and checking certificate validity; future enhancements to
+this secrets engine may allow for extra security on top of what TLS provides.
 
-### Mount the backend
+### Mount the secrets engine
 
 ```text
 $ vault mount ssh
@@ -109,6 +110,6 @@ disabled by setting `-strict-host-key-checking=no`.
 
 ## API
 
-The SSH secret backend has a full HTTP API. Please see the
-[SSH secret backend API](/api/secret/ssh/index.html) for more
+The SSH secrets engine has a full HTTP API. Please see the
+[SSH secrets engine API](/api/secret/ssh/index.html) for more
 details.
diff --git a/website/source/docs/secrets/ssh/signed-ssh-certificates.html.md b/website/source/docs/secrets/ssh/signed-ssh-certificates.html.md
index b377ddd4f..efd5b6c6d 100644
--- a/website/source/docs/secrets/ssh/signed-ssh-certificates.html.md
+++ b/website/source/docs/secrets/ssh/signed-ssh-certificates.html.md
@@ -1,11 +1,11 @@
 ---
 layout: "docs"
-page_title: "Signed SSH Certificates - SSH Secret Backend"
+page_title: "Signed SSH Certificates - SSH - Secrets Engines"
 sidebar_current: "docs-secrets-ssh-signed-ssh-certificates"
 description: |-
   The signed SSH certificates is the simplest and most powerful in terms of
   setup complexity and in terms of being platform agnostic. When using this
-  type, an SSH CA signing key is generated or configured at the backend's mount.
+  type, an SSH CA signing key is generated or configured at the secrets engine's mount.
   This key will be used to sign other SSH keys.
 ---
 
@@ -20,12 +20,12 @@ In this section, the term "**client**" refers to the person or machine
 performing the SSH operation. The "**host**" refers to the target machine. If
 this is confusing, substitute "client" with "user".
 
-This page will show a quick start for this backend. For detailed documentation
-on every path, use `vault path-help` after mounting the backend.
+This page will show a quick start for this secrets engine. For detailed documentation
+on every path, use `vault path-help` after mounting the secrets engine.
 
 ## Client Key Signing
 
-Before a client can request their SSH key be signed, the Vault SSH backend must
+Before a client can request their SSH key be signed, the Vault SSH secrets engine must
 be configured. Usually a Vault administrator or security team performs these
 steps. It is also possible to automate these actions using a configuration
 management tool like Chef, Puppet, Ansible, or Salt.
@@ -35,7 +35,7 @@ management tool like Chef, Puppet, Ansible, or Salt.
 The following steps are performed in advance by a Vault administrator, security
 team, or configuration management tooling.
 
-1. Mount the backend. Like all secret backends in Vault, the SSH secret backend
+1. Mount the secrets engine. Like all secrets engines in Vault, the SSH secrets engine
 must be mounted before use.
 
     ```text
@@ -43,8 +43,8 @@ must be mounted before use.
     Successfully mounted 'ssh' at 'ssh-client-signer'!
     ```
 
-    This mounts the SSH backend at the path "ssh-client-signer". It is possible
-    to mount the same secret backend multiple times using different `-path`
+    This mounts the SSH secrets engine at the path "ssh-client-signer". It is possible
+    to mount the same secrets engine multiple times using different `-path`
     arguments. The name "ssh-client-signer" is not special - it can be any name,
     but this documentation will assume "ssh-client-signer".
 
@@ -197,7 +197,7 @@ accidentally SSHing into an unmanaged or malicious machine.
 
 ### Signing Key Configuration
 
-1. Mount the backend. For the most security, mount at a different path from the
+1. Mount the secrets engine. For the most security, mount at a different path from the
 client signer.
 
     ```text
@@ -480,6 +480,6 @@ forwarding. See [no prompt after login](#no-prompt-after-login) for examples.
 
 ## API
 
-The SSH secret backend has a full HTTP API. Please see the
-[SSH secret backend API](/api/secret/ssh/index.html) for more
+The SSH secrets engine has a full HTTP API. Please see the
+[SSH secrets engine API](/api/secret/ssh/index.html) for more
 details.
diff --git a/website/source/docs/secrets/totp/index.html.md b/website/source/docs/secrets/totp/index.html.md
index 6ae9ca14b..a2d26f2fa 100644
--- a/website/source/docs/secrets/totp/index.html.md
+++ b/website/source/docs/secrets/totp/index.html.md
@@ -1,83 +1,126 @@
 ---
 layout: "docs"
-page_title: "TOTP Secret Backend"
+page_title: "TOTP - Secrets Engines"
 sidebar_current: "docs-secrets-totp"
 description: |-
-  The TOTP secret backend for Vault generates time-based one-time use passwords.
+  The TOTP secrets engine for Vault generates time-based one-time use passwords.
 ---
 
-# TOTP Secret Backend
+# TOTP Secrets Engine
 
-Name: `totp`
+The TOTP secrets engine generates time-based credentials according to the TOTP
+standard. The secrets engine can also be used to generate a new key and validate
+passwords generated by that key.
 
-The TOTP secret backend for Vault will allow Vault users to store their multi-factor
-authentication keys in Vault and use the API to retrieve time-based one-time use passwords
-on demand. The backend can also be used to generate a new key and validate passwords generated by that key.
+The TOTP secrets engine can act as both a generator (like Google Authenticator)
+and a provider (like the Google.com sign in service).
 
-This page will show a quick start for this backend. For detailed documentation
-on every path, use `vault path-help` after mounting the backend.
+## As a Generator
 
-## Quick Start
+The TOTP secrets engine can act as a TOTP code generator. In this mode, it can
+replace traditional TOTP generators like Google Authenticator. It provides an
+added layer of security since the ability to generate codes is guarded by
+policies and the entire process is audited.
 
-The first step to using the TOTP backend is to mount it.
-Unlike the `kv` backend, the `totp` backend is not mounted by default.
+### Setup
 
-```text
-$ vault mount totp
-Successfully mounted 'totp' at 'totp'!
-```
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
 
-The next step is to configure a key. For example, lets create
-a "test" key by passing in a TOTP key url:
+1. Enable the TOTP secrets engine:
 
-```text
-$ vault write totp/keys/test \
-    url="otpauth://totp/Vault:test@gmail.com?secret=Y64VEVMBTSXCYIWRSHRNDZW62MPGVU2G&issuer=Vault"
-Success! Data written to: totp/keys/test
-```
+    ```text
+    $ vault secrets enable totp
+    Success! Enabled the totp secrets engine at: totp/
+    ```
 
-By writing to the `keys/test` path we are defining the `test` key.
+    By default, the secrets engine will mount at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
 
-To generate a new set of credentials, we simply read from that key using the `code` path:
+1. Configure a named key. The name of this key will be a human identifier as to
+its purpose.
 
-```text
-$ vault read totp/code/test
-Key           	Value
-code            135031
-```
-Vault is now configured to create time-based one-time use passwords!
+    ```text
+    $ vault write totp/keys/my-key \
+        url="otpauth://totp/Vault:test@test.com?secret=Y64VEVMBTSXCYIWRSHRNDZW62MPGVU2G&issuer=Vault"
+    Success! Data written to: totp/keys/my-key
+    ```
 
-By reading from the `code/test` path, Vault has generated a new
-time-based one-time use password using the `test` key configuration.
+    The `url` corresponds to the secret key or value from the barcode provided
+    by the third-party service.
 
-Using ACLs, it is possible to restrict using the TOTP backend such
-that trusted operators can manage the key definitions, and both
-users and applications are restricted in the credentials they are
-allowed to read.
+### Usage
 
-The TOTP backend can also be used to generate new keys and validate passwords generated using those keys.
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can generate credentials.
 
-In order to generate a new key, set the generate flag to true and pass in an issuer and account name.
+1. Generate a new time-based OTP by reading from the `/code` endpoint with the
+name of the key:
 
-```text
-$ vault write totp/keys/test \
-    generate=true issuer=Vault account_name=test@gmail.com
-```
-A base64 encoded barcode and url will be returned upon generating a new key. These can be given to client applications that
-can generate passwords. You can validate those passwords by writing to the `code/test` path.
+    ```text
+    $ vault read totp/code/my-key
+    Key     Value
+    ---     -----
+    code    260610
+    ```
 
-```text
-$ vault write totp/code/test \
-    code=127388
-Key           	Value
-valid           true
-```
+    Using ACLs, it is possible to restrict using the TOTP secrets engine such
+    that trusted operators can manage the key definitions, and both users and
+    applications are restricted in the credentials they are allowed to read.
 
-If you get stuck at any time, simply run `vault path-help totp` or with a
-subpath for interactive help output.
+## As a Provider
+
+The TOTP secrets engine can also act as a TOTP provider. In this mode, it can be
+used to generate new keys and validate passwords generated using those keys.
+
+### Setup
+
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
+
+1. Enable the TOTP secrets engine:
+
+    ```text
+    $ vault secrets enable totp
+    Success! Enabled the totp secrets engine at: totp/
+    ```
+
+    By default, the secrets engine will mount at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
+
+1. Create a named key, using the `generate` option. This tells Vault to be the
+provider:
+
+    ```text
+    $ vault write totp/keys/my-user \
+        generate=true \
+        issuer=Vault \
+        account_name=user@test.com
+
+    Key        Value
+    ---        -----
+    barcode    iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BA...
+    url        otpauth://totp/Vault:user@test.com?algorithm=SHA1&digits=6&issuer=Vault&period=30&secret=V7MBSK324I7KF6KVW34NDFH2GYHIF6JY
+    ```
+
+    The response includes a base64-encoded barcode and OTP url. Both are
+    equivalent. Give these to the user who is authenticating with TOTP.
+
+### Usage
+
+1. As a user, validate a TOTP code generated by a third-party app:
+
+    ```text
+    $ vault write totp/code/my-user code=886531
+    Key      Value
+    ---      -----
+    valid    true
+    ```
 
 ## API
 
-The TOTP secret backend has a full HTTP API. Please see the
-[TOTP secret backend API](/api/secret/totp/index.html) for more
+The TOTP secrets engine has a full HTTP API. Please see the
+[TOTP secrets engine API](/api/secret/totp/index.html) for more
 details.
diff --git a/website/source/docs/secrets/transit/index.html.md b/website/source/docs/secrets/transit/index.html.md
index e84dd57e5..ed712cd9a 100644
--- a/website/source/docs/secrets/transit/index.html.md
+++ b/website/source/docs/secrets/transit/index.html.md
@@ -1,136 +1,143 @@
 ---
 layout: "docs"
-page_title: "Transit Secret Backend"
+page_title: "Transit - Secrets Engines"
 sidebar_current: "docs-secrets-transit"
 description: |-
-  The transit secret backend for Vault encrypts/decrypts data in-transit. It doesn't store any secrets.
+  The transit secrets engine for Vault encrypts/decrypts data in-transit. It doesn't store any secrets.
 ---
 
-# Transit Secret Backend
+# Transit Secrets Engine
 
-Name: `transit`
-
-The transit secret backend handles cryptographic functions on data in-transit.
-Vault doesn't store the data sent to the backend. It can also be viewed as
-"cryptography as a service."
+The transit secrets engine handles cryptographic functions on data in-transit.
+Vault doesn't store the data sent to the secrets engine. It can also be viewed
+as "cryptography as a service" or "encryption as a service". The transit secrets
+engine can also sign and verify data; generate hashes and HMACs of data; and act
+as a source of random bytes.
 
 The primary use case for `transit` is to encrypt data from applications while
 still storing that encrypted data in some primary data store. This relieves the
 burden of proper encryption/decryption from application developers and pushes
-the burden onto the operators of Vault.  Operators of Vault generally include
-the security team at an organization, which means they can ensure that data is
-encrypted/decrypted properly. Additionally, since encrypt/decrypt operations
-must enter the audit log, any decryption event is recorded.
-
-`transit` can also sign and verify data; generate hashes and HMACs of data; and
-act as a source of random bytes.
-
-Due to Vault's flexible ACLs, other interesting use-cases are possible. For
-instance, one set of Internet-facing servers can be given permission to encrypt
-with a named key but not decrypt with it; a separate set of servers not
-directly connected to the Internet can then perform decryption, reducing the
-data's attack surface.
+the burden onto the operators of Vault.
 
 Key derivation is supported, which allows the same key to be used for multiple
 purposes by deriving a new key based on a user-supplied context value. In this
 mode, convergent encryption can optionally be supported, which allows the same
 input values to produce the same ciphertext.
 
-The backend also supports key rotation, which allows a new version of the named
-key to be generated. All data encrypted with the key will use the newest
-version of the key; previously encrypted data can be decrypted using old
-versions of the key. Administrators can control which previous versions of a
-key are available for decryption, to prevent an attacker gaining an old copy of
-ciphertext to be able to successfully decrypt it. At any time, a legitimate
-user can "rewrap" the data, providing an old version of the ciphertext and
-receiving a new version encrypted with the latest key. Because rewrapping does
-not expose the plaintext, using Vault's ACL system, this can even be safely
-performed by unprivileged users or cron jobs.
-
 Datakey generation allows processes to request a high-entropy key of a given
 bit length be returned to them, encrypted with the named key. Normally this will
 also return the key in plaintext to allow for immediate use, but this can be
 disabled to accommodate auditing requirements.
 
-N.B.: As part of adding rotation support, the initial version of a named key
-produces ciphertext starting with version 1, i.e. containing `:v1:`. Keys from
-very old versions of Vault, when rotated, will jump to version 2 despite their
-previous ciphertext output containing `:v0:`. Decryption, however, treats
-version 0 and version 1 the same, so old ciphertext will still work.
+## Setup
 
-This page will show a quick start for this backend. For detailed documentation
-on every path, use `vault path-help` after mounting the backend.
+Most secrets engines must be configured in advance before they can perform their
+functions. These steps are usually completed by an operator or configuration
+management tool.
 
-## Quick Start
+1. Enable the Transit secrets engine:
 
-The first step to using the transit backend is to mount it. Unlike the `kv`
-backend, the `transit` backend is not mounted by default.
+    ```text
+    $ vault secrets enable transit
+    Success! Enabled the transit secrets engine at: transit/
+    ```
 
-```
-$ vault mount transit
-Successfully mounted 'transit' at 'transit'!
-```
+    By default, the secrets engine will mount at the name of the engine. To
+    enable the secrets engine at a different path, use the `-path` argument.
 
-The next step is to create a named encryption key. A named key is used so that
-many different applications can use the transit backend with independent keys.
-This is done by doing a write against the backend:
+1. Create a named encryption key ring:
 
-```
-$ vault write -f transit/keys/foo
-Success! Data written to: transit/keys/foo
-```
+    ```text
+    $ vault write -f transit/keys/my-key
+    Success! Data written to: transit/keys/my-key
+    ```
 
-This will create the "foo" named key in the transit backend. We can inspect
-the settings of the "foo" key by reading it:
+    Usually each application has its own encryption key ring.
 
-```
-$ vault read transit/keys/foo
-Key                     Value
-deletion_allowed      	false
-derived               	false
-exportable            	false
-keys                  	map[1:1484070923]
-latest_version        	1
-min_decryption_version	1
-name                  	foo
-supports_decryption   	true
-supports_derivation   	true
-supports_encryption   	true
-supports_signing      	false
-type                  	aes256-gcm96
-```
+## Usage
 
-Now, if we wanted to encrypt a piece of plain text, we use the encrypt
-endpoint using our named key:
+After the secrets engine is configured and a user/machine has a Vault token with
+the proper permission, it can use this secrets engine.
 
-```
-$ echo -n "the quick brown fox" | base64 | vault write transit/encrypt/foo plaintext=-
-Key       	Value
-ciphertext	vault:v1:czEwyKqGZY/limnuzDCUUe5AK0tbBObWqeZgFqxCuIqq7A84SeiOq3sKD0Y/KUvv
-```
+1. Encrypt some plaintext data using the `/encrypt` endpoint with a named key:
 
-The encryption endpoint expects the plaintext to be provided as a base64 encoded
-strings, so we must first convert it. Vault does not store the plaintext or the
-ciphertext, but only handles it _in transit_ for processing. The application
-is free to store the ciphertext in a database or file at rest.
+    ```text
+    $ vault write transit/encrypt/my-key plaintext=$(base64 <<< "my secret data")
 
-To decrypt, we simply use the decrypt endpoint using the same named key:
+    Key           Value
+    ---           -----
+    ciphertext    vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==
+    ```
 
-```
-$ vault write transit/decrypt/foo ciphertext=vault:v1:czEwyKqGZY/limnuzDCUUe5AK0tbBObWqeZgFqxCuIqq7A84SeiOq3sKD0Y/KUvv
-Key      	Value
-plaintext	dGhlIHF1aWNrIGJyb3duIGZveAo=
+    All plaintext data **must be base64-encoded**. The reason for this
+    requirement is that Vault does not require that the plaintext is "text". It
+    could be a binary file such as a PDF or image. The easiest safe transport
+    mechanism for this data as part of a JSON payload is to base64-encode it.
 
-$ echo "dGhlIHF1aWNrIGJyb3duIGZveAo=" | base64 -d
-the quick brown fox
-```
+    Note that Vault does not _store_ any of this data. The caller is responsible
+    for storing the encrypted ciphertext. When the caller wants the plaintext,
+    it must provide the ciphertext back to Vault to decrypt the value.
 
-Using ACLs, it is possible to restrict using the transit backend such
-that trusted operators can manage the named keys, and applications can
-only encrypt or decrypt using the named keys they need access to.
+1. Decrypt a piece of data using the `/decrypt` endpoint with a named key:
+
+    ```text
+    $ vault write transit/decrypt/my-key ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==
+
+    Key          Value
+    ---          -----
+    plaintext    bXkgc2VjcmV0IGRhdGEK
+    ```
+
+    The resulting data is base64-encoded (see the note above for details on
+    why). Decode it to get the raw plaintext:
+
+    ```text
+    $ base64 --decode <<< "bXkgc2VjcmV0IGRhdGEK"
+    my secret data
+    ```
+
+    It is also possible to script this decryption using some clever shell
+    scripting in one command:
+
+    ```text
+    $ vault write -field=plaintext transit/decrypt/my-key ciphertext=... | base64 --decode
+    my secret data
+    ```
+
+    Using ACLs, it is possible to restrict using the transit secrets engine such
+    that trusted operators can manage the named keys, and applications can only
+    encrypt or decrypt using the named keys they need access to.
+
+1. Rotate the underlying encryption key. This will generate a new encryption key
+and add it to the keyring for the named key:
+
+    ```text
+    $ vault write -f transit/keys/my-key/rotate
+    Success! Data written to: transit/keys/my-key/rotate
+    ```
+
+    Future encryptions will use this new key. Old data can still be decrypted
+    due to the use of a key ring.
+
+1. Upgrade already-encrypted data to a new key. Vault will decrypt the value
+using the appropriate key in the keyring and then encrypted the resulting
+plaintext with the newest key in the keyring.
+
+    ```text
+    $ vault write transit/rewrap/my-key ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==
+
+    Key           Value
+    ---           -----
+    ciphertext    vault:v2:0VHTTBb2EyyNYHsa3XiXsvXOQSLKulH+NqS4eRZdtc2TwQCxqJ7PUipvqQ==
+    ```
+
+    This process **does not** reveal the plaintext data. As such, a Vault policy
+    could grant almost an untrusted process the ability to "rewrap" encrypted
+    data, since the process would not be able to get access to the plaintext
+    data.
 
 ## API
 
-The Transit secret backend has a full HTTP API. Please see the
-[Transit secret backend API](/api/secret/transit/index.html) for more
+The Transit secrets engine has a full HTTP API. Please see the
+[Transit secrets engine API](/api/secret/transit/index.html) for more
 details.
diff --git a/website/source/guides/plugin-backends.html.md b/website/source/guides/plugin-backends.html.md
index a3be28cd7..532d6cebf 100644
--- a/website/source/guides/plugin-backends.html.md
+++ b/website/source/guides/plugin-backends.html.md
@@ -11,11 +11,11 @@ description: |-
 Plugin backends utilize the [plugin system][plugin-system] to enable
 third-party secret and auth methods to be mounted.
 
-It is worth noting that even though [database backends][database-backend]
+It is worth noting that even though [database secrets engines][database-backend]
 operate under the same underlying plugin mechanism, they are slightly different
-in design than plugin backends demonstrated in this guide. The database backend
-manages multiple plugins under the same backend mount point, whereas plugin
-backends are generic backends that function as either secret or auth methods.
+in design than plugin backends demonstrated in this guide. The database secrets
+engine manages multiple plugins under the same backend mount point, whereas
+plugin backends are kv backends that function as either secret or auth methods.
 
 This guide provides steps to build, register, and mount non-database external
 plugin backends.
diff --git a/website/source/guides/upgrading/upgrade-to-0.5.0.html.md b/website/source/guides/upgrading/upgrade-to-0.5.0.html.md
index 95578ab4b..9ac5e5761 100644
--- a/website/source/guides/upgrading/upgrade-to-0.5.0.html.md
+++ b/website/source/guides/upgrading/upgrade-to-0.5.0.html.md
@@ -122,7 +122,7 @@ cannot be less restrictive than the mount's maximum TTL.)
 - `userpass` – The renew function now uses the backend's configured maximum TTL,
   if set; otherwise the mount maximum TTL is used.
 
-#### Secret Backends
+#### Secrets Engines
 
 - `aws` – New IAM roles no longer always have a default TTL of one hour, instead
   honoring the configured default if available and the mount default TTL if not
diff --git a/website/source/intro/getting-started/authentication.html.md b/website/source/intro/getting-started/authentication.html.md
index 707eff192..d96774bd8 100644
--- a/website/source/intro/getting-started/authentication.html.md
+++ b/website/source/intro/getting-started/authentication.html.md
@@ -99,7 +99,7 @@ $ vault auth enable github
 Success! Enabled github auth method at: github/
 ```
 
-Auth methods are mounted, just like secret backends, except auth
+Auth methods are mounted, just like secrets engines, except auth
 backends are always prefixed with `auth/`. So the GitHub backend we just
 mounted can be accessed at `auth/github`. You can use `vault path-help` to
 learn more about it.
diff --git a/website/source/intro/getting-started/dynamic-secrets.html.md b/website/source/intro/getting-started/dynamic-secrets.html.md
index b723382e3..240399af9 100644
--- a/website/source/intro/getting-started/dynamic-secrets.html.md
+++ b/website/source/intro/getting-started/dynamic-secrets.html.md
@@ -15,7 +15,7 @@ Vault: _dynamic secrets_.
 Dynamic secrets are secrets that are generated when they're accessed,
 and aren't statically written like we did in
 [Your First Secret](/intro/getting-started/first-secret.html).
-On this page, we'll use the built-in AWS secret backend to dynamically
+On this page, we'll use the built-in AWS secrets engine to dynamically
 generate AWS access keys.
 
 The power of dynamic secrets is that they simply don't exist before
@@ -40,7 +40,7 @@ Successfully mounted 'aws' at 'aws'!
 ```
 
 The AWS backend is now mounted at `aws/`. As we covered in a previous
-section: different secret backends allow for different behavior, and in this
+section: different secrets engines allow for different behavior, and in this
 case the AWS backend is a dynamic backend for generating AWS access credentials.
 
 ## Configuring the AWS Backend
@@ -59,7 +59,7 @@ $ vault write aws/config/root \
 Success! Data written to: aws/config/root
 ```
 
-Remember that secret backends can behave anyway they want when
+Remember that secrets engines can behave anyway they want when
 reading/writing a path, so this path stores this configuration for
 later. Notice you can't read it back:
 
diff --git a/website/source/intro/getting-started/first-secret.html.md b/website/source/intro/getting-started/first-secret.html.md
index 3501aa990..02540971a 100644
--- a/website/source/intro/getting-started/first-secret.html.md
+++ b/website/source/intro/getting-started/first-secret.html.md
@@ -123,4 +123,4 @@ In this section we learned how to use the powerful CRUD features of
 Vault to store arbitrary secrets. On its own this is already a useful
 but basic feature.
 
-Next, we'll learn the basics about [secret backends](/intro/getting-started/secret-backends.html).
+Next, we'll learn the basics about [secrets engines](/intro/getting-started/secret-backends.html).
diff --git a/website/source/intro/getting-started/help.html.md b/website/source/intro/getting-started/help.html.md
index a8a046fae..41f6e7547 100644
--- a/website/source/intro/getting-started/help.html.md
+++ b/website/source/intro/getting-started/help.html.md
@@ -9,7 +9,7 @@ description: |-
 # Built-in Help
 
 You've now worked with `vault write` and `vault read` for multiple
-paths: the kv secret backend with `secret/` and dynamic AWS
+paths: the kv secrets engine with `secret/` and dynamic AWS
 credentials with the AWS backend provider at `aws/`. In both cases, the
 structure and usage of each backend differed, for example the AWS
 backend has special paths like `aws/config`.
diff --git a/website/source/intro/getting-started/secret-backends.html.md b/website/source/intro/getting-started/secret-backends.html.md
index 9ff188db2..c4934d83a 100644
--- a/website/source/intro/getting-started/secret-backends.html.md
+++ b/website/source/intro/getting-started/secret-backends.html.md
@@ -1,12 +1,12 @@
 ---
 layout: "intro"
-page_title: "Secret Backends - Getting Started"
+page_title: "Secrets Engines - Getting Started"
 sidebar_current: "gettingstarted-secretbackends"
 description: |-
-  Secret backends are what create, read, update, and delete secrets.
+  secrets engines are what create, read, update, and delete secrets.
 ---
 
-# Secret Backends
+# Secrets Engines
 
 Previously, we saw how to read and write arbitrary secrets to Vault.  To
 do this, we used the `secret/` prefix. This prefix specifies which
@@ -87,10 +87,10 @@ backend changes its mount point. This is still a disruptive command: the
 stored data is retained, but all secrets are revoked since secrets are
 closely tied to their mount paths.
 
-## What is a Secret Backend?
+## What is a Secrets Engine?
 
 Now that you've mounted and unmounted a backend, you might wonder:
-"what is a secret backend? what is the point of this mounting system?"
+"what is a secrets engine? what is the point of this mounting system?"
 
 Vault behaves a lot like a [virtual filesystem](https://en.wikipedia.org/wiki/Virtual_file_system).
 The read/write/delete operations are forwarded to the backend, and the
@@ -111,7 +111,7 @@ etc. all using the same read/write interface.
 
 ## Next
 
-You now know about secret backends and how to operate on the mount table.
+You now know about secrets engines and how to operate on the mount table.
 This is important knowledge to move forward and learn about other secret
 backends.
 
diff --git a/website/source/intro/vs/kms.html.md b/website/source/intro/vs/kms.html.md
index 58453ae2b..6c92dcb14 100644
--- a/website/source/intro/vs/kms.html.md
+++ b/website/source/intro/vs/kms.html.md
@@ -23,7 +23,7 @@ capabilities as KMS, allowing for encryption keys to be stored and
 cryptographic operations to be performed. However, Vault goes much further than
 just key management.
 
-The flexible secret backends allow Vault to handle any type of secret data,
+The flexible secrets engines allow Vault to handle any type of secret data,
 including database credentials, API keys, PKI keys, and encryption keys.  Vault
 also supports dynamic secrets, generating credentials on-demand for
 fine-grained security controls, auditing, and non-repudiation.
diff --git a/website/source/layouts/api.erb b/website/source/layouts/api.erb
index 9cc888d88..04607bd68 100644
--- a/website/source/layouts/api.erb
+++ b/website/source/layouts/api.erb
@@ -11,7 +11,7 @@
       <hr>
 
       <li<%= sidebar_current("docs-http-secret") %>>
-        <a href="/api/secret/index.html">Secret Backends</a>
+        <a href="/api/secret/index.html">Secrets Engines</a>
         <ul class="nav">
           <li<%= sidebar_current("docs-http-secret-aws") %>>
             <a href="/api/secret/aws/index.html">AWS</a>
diff --git a/website/source/layouts/docs.erb b/website/source/layouts/docs.erb
index 846d48679..9d3ff62b4 100644
--- a/website/source/layouts/docs.erb
+++ b/website/source/layouts/docs.erb
@@ -323,7 +323,7 @@
       <hr>
 
       <li<%= sidebar_current("docs-secrets") %>>
-        <a href="/docs/secrets/index.html">Secret Backends</a>
+        <a href="/docs/secrets/index.html">Secrets Engines</a>
         <ul class="nav">
           <li<%= sidebar_current("docs-secrets-aws") %>>
             <a href="/docs/secrets/aws/index.html">AWS</a>
diff --git a/website/source/layouts/intro.erb b/website/source/layouts/intro.erb
index 4646ea4cf..7ad20e088 100644
--- a/website/source/layouts/intro.erb
+++ b/website/source/layouts/intro.erb
@@ -58,7 +58,7 @@
           </li>
 
           <li<%= sidebar_current("gettingstarted-secretbackends") %>>
-            <a href="/intro/getting-started/secret-backends.html">Secret Backends</a>
+            <a href="/intro/getting-started/secret-backends.html">Secrets Engines</a>
           </li>
 
           <li<%= sidebar_current("gettingstarted-dynamicsecrets") %>>