diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7b51b7748..59a9a2af8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,8 +1,84 @@
-## Next
+## 1.7.0 (Unreleased)
+
+IMPROVEMENTS:
+
+* agent: Agent can now run as a Windows service. [[GH-10231](https://github.com/hashicorp/vault/pull/10231)]
+* auth/ldap: Improve consistency in error messages [[GH-10537](https://github.com/hashicorp/vault/pull/10537)]
+* core (enterprise): Update Trial Enterprise license from 30 minutes to 6 hours
+* core/metrics: Added "vault operator usage" command. [[GH-10365](https://github.com/hashicorp/vault/pull/10365)]
+* core/metrics: New telemetry metrics reporting lease expirations by time interval and namespace [[GH-10375](https://github.com/hashicorp/vault/pull/10375)]
+* core: Added active since timestamp to the status output of active nodes. [[GH-10489](https://github.com/hashicorp/vault/pull/10489)]
+* secrets/gcp: Truncate ServiceAccount display names longer than 100 characters. [[GH-10558](https://github.com/hashicorp/vault/pull/10558)]
 
 BUG FIXES:
 
+* agent: Only set the namespace if the VAULT_NAMESPACE env var isn't present [[GH-10556](https://github.com/hashicorp/vault/pull/10556)]
+* api/sys/config/ui: Fixes issue where multiple UI custom header values are ignored and only the first given value is used [[GH-10490](https://github.com/hashicorp/vault/pull/10490)]
+* api: Fixes CORS API methods that were outdated and invalid [[GH-10444](https://github.com/hashicorp/vault/pull/10444)]
+* auth/jwt: Fixes `bound_claims` validation for provider-specific group and user info fetching. [[GH-10546](https://github.com/hashicorp/vault/pull/10546)]
+* core (enterprise): Limit entropy augmentation during token generation to root tokens. [[GH-10487](https://github.com/hashicorp/vault/pull/10487)]
+* core (enterprise): Vault EGP policies attached to path * were not correctly scoped to the namespace.
+* core: Avoid deadlocks by ensuring that if grabLockOrStop returns stopped=true, the lock will not be held. [[GH-10456](https://github.com/hashicorp/vault/pull/10456)]
 * core: Fix client.Clone() to include the address [[GH-10077](https://github.com/hashicorp/vault/pull/10077)]
+* core: Fix rate limit resource quota migration from 1.5.x to 1.6.x by ensuring `purgeInterval` and
+`staleAge` are set appropriately. [[GH-10536](https://github.com/hashicorp/vault/pull/10536)]
+* core: Make all APIs that report init status consistent, and make them report
+initialized=true when a Raft join is in progress. [[GH-10498](https://github.com/hashicorp/vault/pull/10498)]
+* license: Fix license caching issue that prevents new licenses to get picked up by the license manager [[GH-10424](https://github.com/hashicorp/vault/pull/10424)]
+* secrets/database/influxdb: Fix issue where not all errors from InfluxDB were being handled [[GH-10384](https://github.com/hashicorp/vault/pull/10384)]
+* secrets/database/mysql: Fixes issue where the DisplayName within generated usernames was the incorrect length [[GH-10433](https://github.com/hashicorp/vault/pull/10433)]
+* secrets/database: Sanitize `private_key` field when reading database plugin config [[GH-10416](https://github.com/hashicorp/vault/pull/10416)]
+* secrets/transit: allow for null string to be used for optional parameters in encrypt and decrypt [[GH-10386](https://github.com/hashicorp/vault/pull/10386)]
+* transform (enterprise): Fix bug tokenization handling metadata on exportable stores
+* transform (enterprise): Fix transform configuration not handling `stores` parameter on the legacy path
+* transform (enterprise): Make expiration timestamps human readable
+* transform (enterprise): Return false for invalid tokens on the validate endpoint rather than returning an HTTP error
+* transform (enterprise): Fix bug where tokenization store changes are persisted but don't take effect
+* ui: Fix bug in Transform secret engine when a new role is added and then removed from a transformation [[GH-10417](https://github.com/hashicorp/vault/pull/10417)]
+* ui: Fix footer URL linking to the correct version changelog. [[GH-10491](https://github.com/hashicorp/vault/pull/10491)]
+
+## 1.6.1
+### December 16, 2020
+
+SECURITY:
+
+* LDAP Auth Method: We addressed an issue where error messages returned by the
+  LDAP auth methold allowed user enumeration [[GH-10537](https://github.com/hashicorp/vault/pull/10537)]. This vulnerability affects Vault OSS and Vault 
+  Enterprise and is fixed in 1.5.6 and 1.6.1 (CVE-2020-35177).
+* Sentinel EGP: We've fixed incorrect handling of namespace paths to prevent
+  users within namespaces from applying Sentinel EGP policies to paths above
+  their namespace. This vulnerability affects Vault Enterprise and is fixed in
+  1.5.6 and 1.6.1.
+
+IMPROVEMENTS:
+
+* auth/ldap: Improve consistency in error messages [[GH-10537](https://github.com/hashicorp/vault/pull/10537)]
+* core/metrics: Added "vault operator usage" command. [[GH-10365](https://github.com/hashicorp/vault/pull/10365)]
+* secrets/gcp: Truncate ServiceAccount display names longer than 100 characters. [[GH-10558](https://github.com/hashicorp/vault/pull/10558)]
+
+BUG FIXES:
+
+* agent: Only set the namespace if the VAULT_NAMESPACE env var isn't present [[GH-10556](https://github.com/hashicorp/vault/pull/10556)]
+* auth/jwt: Fixes `bound_claims` validation for provider-specific group and user info fetching. [[GH-10546](https://github.com/hashicorp/vault/pull/10546)]
+* core (enterprise): Vault EGP policies attached to path * were not correctly scoped to the namespace.
+* core: Avoid deadlocks by ensuring that if grabLockOrStop returns stopped=true, the lock will not be held. [[GH-10456](https://github.com/hashicorp/vault/pull/10456)]
+* core: Fix client.Clone() to include the address [[GH-10077](https://github.com/hashicorp/vault/pull/10077)]
+* core: Fix rate limit resource quota migration from 1.5.x to 1.6.x by ensuring `purgeInterval` and
+`staleAge` are set appropriately. [[GH-10536](https://github.com/hashicorp/vault/pull/10536)]
+* core: Make all APIs that report init status consistent, and make them report
+initialized=true when a Raft join is in progress. [[GH-10498](https://github.com/hashicorp/vault/pull/10498)]
+* secrets/database/influxdb: Fix issue where not all errors from InfluxDB were being handled [[GH-10384](https://github.com/hashicorp/vault/pull/10384)]
+* secrets/database/mysql: Fixes issue where the DisplayName within generated usernames was the incorrect length [[GH-10433](https://github.com/hashicorp/vault/pull/10433)]
+* secrets/database: Sanitize `private_key` field when reading database plugin config [[GH-10416](https://github.com/hashicorp/vault/pull/10416)]
+* secrets/transit: allow for null string to be used for optional parameters in encrypt and decrypt [[GH-10386](https://github.com/hashicorp/vault/pull/10386)]
+* storage/raft (enterprise): The parameter aws_s3_server_kms_key was misnamed and didn't work.  Renamed to aws_s3_kms_key, and make it work so that when provided the given key will be used to encrypt the snapshot using AWS KMS.
+* transform (enterprise): Fix bug tokenization handling metadata on exportable stores
+* transform (enterprise): Fix transform configuration not handling `stores` parameter on the legacy path
+* transform (enterprise): Make expiration timestamps human readable
+* transform (enterprise): Return false for invalid tokens on the validate endpoint rather than returning an HTTP error
+* transform (enterprise): Fix bug where tokenization store changes are persisted but don't take effect
+* ui: Fix bug in Transform secret engine when a new role is added and then removed from a transformation [[GH-10417](https://github.com/hashicorp/vault/pull/10417)]
+* ui: Fix footer URL linking to the correct version changelog. [[GH-10491](https://github.com/hashicorp/vault/pull/10491)]
 
 ## 1.6.0
 ### November 11th, 2020
@@ -76,6 +152,31 @@ BUG FIXES:
 * ui: Update language on replication primary dashboard for clarity [[GH-10205](https://github.com/hashicorp/vault/pull/10217)]
 * core: Fix bug where updating an existing path quota could introduce a conflict. [[GH-10285](https://github.com/hashicorp/vault/pull/10285)]
 
+## 1.5.6
+### December 16, 2020
+
+SECURITY:
+
+* LDAP Auth Method: We addressed an issue where error messages returned by the
+  LDAP auth methold allowed user enumeration [[GH-10537](https://github.com/hashicorp/vault/pull/10537)]. This vulnerability affects Vault OSS and Vault 
+  Enterprise and is fixed in 1.5.6 and 1.6.1 (CVE-2020-35177).
+* Sentinel EGP: We've fixed incorrect handling of namespace paths to prevent
+  users within namespaces from applying Sentinel EGP policies to paths above
+  their namespace. This vulnerability affects Vault Enterprise and is fixed in
+  1.5.6 and 1.6.1.
+
+IMPROVEMENTS:
+
+* auth/ldap: Improve consistency in error messages [[GH-10537](https://github.com/hashicorp/vault/pull/10537)]
+
+BUG FIXES:
+
+* core (enterprise): Vault EGP policies attached to path * were not correctly scoped to the namespace.
+* core: Fix bug where updating an existing path quota could introduce a conflict [[GH-10285](https://github.com/hashicorp/vault/pull/10285)]
+* core: Fix client.Clone() to include the address [[GH-10077](https://github.com/hashicorp/vault/pull/10077)]
+* quotas (enterprise): Reset cache before loading quotas in the db during startup
+* secrets/transit: allow for null string to be used for optional parameters in encrypt and decrypt [[GH-10386](https://github.com/hashicorp/vault/pull/10386)]
+
 ## 1.5.5
 ### October 21, 2020
 
diff --git a/changelog/_1656.txt b/changelog/_1656.txt
new file mode 100644
index 000000000..6bce70bee
--- /dev/null
+++ b/changelog/_1656.txt
@@ -0,0 +1,5 @@
+```release-note:bug
+storage/raft (enterprise): The parameter aws_s3_server_kms_key was misnamed and
+didn't work.  Renamed to aws_s3_kms_key, and make it work so that when provided
+the given key will be used to encrypt the snapshot using AWS KMS.
+```