backport of commit 63ccb60b9a (#20877)

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

website/content/api-docs/secret/transit.mdx

@@ -510,6 +510,58 @@ $ curl \
     http://127.0.0.1:8200/v1/transit/keys/my-key/rotate
 ```
 
+## Securely Export Key
+
+This endpoint returns a wrapped copy of the `source` key, protected by the
+`destination` key using BYOK method accepted by the
+`/transit/keys/:name/import` API. This allows an operator using two separate
+Vault instances to secure established shared key material, withing exposing
+either key in plaintext and needing to run a manual BYOK import using the
+CLI helper utility.
+
+| Method | Path                                                   |
+| :----- | :----------------------------------------------------- |
+| `GET`  | `/transit/byok-export/:destination/:source(/:version)` |
+
+### Parameters
+
+- `destination` `(string: <required>)` - Specifies the name of the key to
+  encrypt the `source` key to: this is usually another mount or cluster's
+  wrapping key (from `/transit/wrapping_key`). This is specified as part of
+  the URL.
+
+~> Note: This destination key type must be an RSA key type.
+
+- `source` `(string: <required>)` - Specifies the source key to encrypt, to
+  copy (encrypted) to another cluster. This is specified as part of the URL.
+
+- `version` `(string: "")` - Specifies the version of the source key to
+  wrap. If omitted, all versions of the key will be returned. This is
+  specified as part of the URL. If the version is set to `latest`, the
+  current key will be returned.
+
+### Sample Request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/transit/byok-export/wrapping-key/to-be-shared-key/1
+```
+
+### Sample Response
+
+```json
+{
+  "data": {
+    "name": "foo",
+    "keys": {
+      "1": "H/0T+CKQ8I82KJWpPk ... additional response elided ...",
+    }
+  }
+}
+```
+
+
 ## Export Key
 
 This endpoint returns the named key. The `keys` object shows the value of the