diff --git a/configure.ac b/configure.ac
index 32c23655..a13c266c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -621,6 +621,7 @@ CS_STR_WITH([loopaes-cipher], [cipher for loop-AES mode], [aes])
 CS_NUM_WITH([loopaes-keybits],[key length in bits for loop-AES mode], [256])
 
 CS_NUM_WITH([keyfile-size-maxkb],[maximum keyfile size (in KiB)], [8192])
+CS_NUM_WITH([integrity-keyfile-size-maxkb],[maximum integritysetup keyfile size (in KiB)], [4])
 CS_NUM_WITH([passphrase-size-max],[maximum passphrase size (in characters)], [512])
 
 CS_STR_WITH([verity-hash],       [hash function for verity mode], [sha256])
diff --git a/man/integritysetup.8 b/man/integritysetup.8
index 9ed2e915..efe8f4d4 100644
--- a/man/integritysetup.8
+++ b/man/integritysetup.8
@@ -127,7 +127,7 @@ The integrity algorithm can be CRC (crc32c/crc32) or hash function (sha1, sha256
 For HMAC (hmac-sha256) you have also to specify an integrity key and its size.
 .TP
 .B "\-\-integrity\-key\-size BYTES"
-The size of the data integrity key.
+The size of the data integrity key. Maximum is 4096 bytes.
 .TP
 .B "\-\-integrity\-key\-file FILE"
 The file with the integrity key.
@@ -167,7 +167,7 @@ Integrity algorithm for journal area.
 See \-\-integrity option for detailed specification.
 .TP
 .B "\-\-journal\-integrity\-key\-size BYTES"
-The size of the journal integrity key.
+The size of the journal integrity key. Maximum is 4096 bytes.
 .TP
 .B "\-\-journal\-integrity\-key\-file FILE"
 The file with the integrity key.
@@ -178,7 +178,7 @@ You can use a block cipher here such as cbc-aes or
 a stream cipher, for example, chacha20 or ctr-aes.
 .TP
 .B "\-\-journal\-crypt\-key\-size BYTES"
-The size of the journal encryption key.
+The size of the journal encryption key. Maximum is 4096 bytes.
 .TP
 .B "\-\-journal\-crypt\-key\-file FILE"
 The file with the journal encryption key.
diff --git a/src/integritysetup.c b/src/integritysetup.c
index 26781ae9..46043029 100644
--- a/src/integritysetup.c
+++ b/src/integritysetup.c
@@ -28,8 +28,6 @@
 
 #define PACKAGE_INTEGRITY "integritysetup"
 
-#define MAX_KEY_SIZE 4096
-
 static const char **action_argv;
 static int action_argc;
 static struct tools_log_params log_parms;
@@ -473,7 +471,9 @@ static void help(poptContext popt_context,
 			crypt_get_dir());
 
 		log_std(_("\nDefault compiled-in dm-integrity parameters:\n"
-			  "\tChecksum algorithm: %s\n"), DEFAULT_ALG_NAME);
+			  "\tChecksum algorithm: %s\n"
+			  "\tMaximum keyfile size: %dkB\n"),
+			  DEFAULT_ALG_NAME, DEFAULT_INTEGRITY_KEYFILE_SIZE_MAXKB);
 		tools_cleanup();
 		poptFreeContext(popt_context);
 		exit(EXIT_SUCCESS);
@@ -526,8 +526,9 @@ static void basic_options_cb(poptContext popt_context,
 	case OPT_JOURNAL_INTEGRITY_KEY_SIZE_ID:
 		/* fall through */
 	case OPT_JOURNAL_CRYPT_KEY_SIZE_ID:
-		if (ARG_UINT32(key->val) > MAX_KEY_SIZE) {
-			snprintf(msg, sizeof(msg), _("Invalid --%s size."), key->longName);
+		if (ARG_UINT32(key->val) > (DEFAULT_INTEGRITY_KEYFILE_SIZE_MAXKB * 1024)) {
+			snprintf(msg, sizeof(msg), _("Invalid --%s size. Maximum is %u bytes."),
+				 key->longName, DEFAULT_INTEGRITY_KEYFILE_SIZE_MAXKB * 1024);
 			usage(popt_context, EXIT_FAILURE, msg,
 			      poptGetInvocationName(popt_context));
 		}