diff --git a/configure.ac b/configure.ac
index ae63a4ac2..1fd625339 100644
--- a/configure.ac
+++ b/configure.ac
@@ -158,6 +158,7 @@ use_exec=yes
 card_support=yes
 agent_support=yes
 disable_keyserver_path=no
+large_secmem=no
 
 AC_ARG_ENABLE(minimal,
    AC_HELP_STRING([--enable-minimal],[build the smallest gpg binary possible]),
@@ -177,6 +178,21 @@ AC_ARG_ENABLE(minimal,
    agent_support=no)
 
 
+AC_MSG_CHECKING([whether to allocate extra secure memory])
+AC_ARG_ENABLE(large-secmem,
+              AC_HELP_STRING([--enable-large-secmem],
+                             [allocate extra secure memory]),
+              large_secmem=$enableval, large_secmem=no)
+AC_MSG_RESULT($large_secmem)
+if test "$large_secmem" = yes ; then
+   SECMEM_BUFFER_SIZE=65536
+else
+   SECMEM_BUFFER_SIZE=32768
+fi
+AC_DEFINE_UNQUOTED(SECMEM_BUFFER_SIZE,$SECMEM_BUFFER_SIZE,
+                   [Size of secure memory buffer])
+
+
 AC_MSG_CHECKING([whether OpenPGP card support is requested])
 AC_ARG_ENABLE(card-support,
               AC_HELP_STRING([--disable-card-support],
diff --git a/doc/gpg.texi b/doc/gpg.texi
index ded69cef1..ae8680965 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1104,6 +1104,15 @@ the opposite meaning. The options are:
   validation. This option is only meaningful if pka-lookups is set.
 @end table
 
+@item --enable-large-rsa
+@itemx --disable-large-rsa
+@opindex enable-large-rsa
+@opindex disable-large-rsa
+With --gen-key and --batch, enable the creation of larger RSA secret
+keys than is generally recommended (up to 8192 bits).  These large
+keys are more expensive to use, and their signatures and
+certifications are also larger.
+
 @item --enable-dsa2
 @itemx --disable-dsa2
 @opindex enable-dsa2
diff --git a/g10/gpg.c b/g10/gpg.c
index 1b0a364d8..6dc15fa79 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -372,6 +372,8 @@ enum cmd_and_opt_values
     oAutoKeyLocate,
     oNoAutoKeyLocate,
     oAllowMultisigVerification,
+    oEnableLargeRSA,
+    oDisableLargeRSA,
     oEnableDSA2,
     oDisableDSA2,
     oAllowMultipleMessages,
@@ -719,6 +721,8 @@ static ARGPARSE_OPTS opts[] = {
     { oDebugCCIDDriver, "debug-ccid-driver", 0, "@"},
 #endif
     { oAllowMultisigVerification, "allow-multisig-verification", 0, "@"},
+    { oEnableLargeRSA, "enable-large-rsa", 0, "@"},
+    { oDisableLargeRSA, "disable-large-rsa", 0, "@"},
     { oEnableDSA2, "enable-dsa2", 0, "@"},
     { oDisableDSA2, "disable-dsa2", 0, "@"},
     { oAllowMultipleMessages, "allow-multiple-messages", 0, "@"},
@@ -1995,7 +1999,7 @@ main (int argc, char **argv )
     }
 #endif
     /* initialize the secure memory. */
-    got_secmem=secmem_init( 32768 );
+    got_secmem=secmem_init( SECMEM_BUFFER_SIZE );
     maybe_setuid = 0;
     /* Okay, we are now working under our real uid */
 
@@ -2851,6 +2855,22 @@ main (int argc, char **argv )
 	    release_akl();
 	    break;
 
+	  case oEnableLargeRSA:
+#if SECMEM_BUFFER_SIZE >= 65536
+            opt.flags.large_rsa=1;
+#else
+            if (configname)
+              log_info("%s:%d: WARNING: gpg not built with large secure "
+                         "memory buffer.  Ignoring enable-large-rsa\n",
+                        configname,configlineno);
+            else
+              log_info("WARNING: gpg not built with large secure "
+                         "memory buffer.  Ignoring --enable-large-rsa\n");
+#endif /* SECMEM_BUFFER_SIZE >= 65536 */
+            break;
+	  case oDisableLargeRSA: opt.flags.large_rsa=0;
+            break;
+
 	  case oEnableDSA2: opt.flags.dsa2=1; break;
 	  case oDisableDSA2: opt.flags.dsa2=0; break;
 
diff --git a/g10/keygen.c b/g10/keygen.c
index 84f852f3f..90209083f 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -1253,6 +1253,7 @@ gen_rsa(int algo, unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
     PKT_public_key *pk;
     MPI skey[6];
     MPI *factors;
+    const unsigned maxsize = (opt.flags.large_rsa ? 8192 : 4096);
 
     assert( is_RSA(algo) );
 
@@ -1260,8 +1261,8 @@ gen_rsa(int algo, unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek,
 	nbits = 2048;
 	log_info(_("keysize invalid; using %u bits\n"), nbits );
     }
-    else if (nbits > 4096) {
-        nbits = 4096;
+    else if (nbits > maxsize) {
+        nbits = maxsize;
         log_info(_("keysize invalid; using %u bits\n"), nbits );
     }
 
diff --git a/g10/options.h b/g10/options.h
index d6326d8d7..670cf64c2 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -231,6 +231,7 @@ struct
     unsigned int utf8_filename:1;
     unsigned int dsa2:1;
     unsigned int allow_multiple_messages:1;
+    unsigned int large_rsa:1;
   } flags;
 
   /* Linked list of ways to find a key if the key isn't on the local