diff --git a/node/config.go b/node/config.go
index 8fe3060eaa..43271d294c 100644
--- a/node/config.go
+++ b/node/config.go
@@ -101,19 +101,32 @@ func NewConfig(ctx *cli.Context) (*Config, error) {
 
 	testMode := ctx.GlobalBool(flags.EnableTestModeFlag.Name)
 
-	// Decrypt ECDSA key
+	// Configuration options that require the Node Operator ECDSA key at runtime
+	registerNodeAtStart := ctx.GlobalBool(flags.RegisterAtNodeStartFlag.Name)
+	pubIPCheckInterval := ctx.GlobalDuration(flags.PubIPCheckIntervalFlag.Name)
+	needECDSAKey := registerNodeAtStart || pubIPCheckInterval > 0
+	if registerNodeAtStart && (ctx.GlobalString(flags.EcdsaKeyFileFlag.Name) == "" || ctx.GlobalString(flags.EcdsaKeyPasswordFlag.Name) == "") {
+		return nil, fmt.Errorf("%s and %s are required if %s is enabled", flags.EcdsaKeyFileFlag.Name, flags.EcdsaKeyPasswordFlag.Name, flags.RegisterAtNodeStartFlag.Name)
+	}
+	if pubIPCheckInterval > 0 && (ctx.GlobalString(flags.EcdsaKeyFileFlag.Name) == "" || ctx.GlobalString(flags.EcdsaKeyPasswordFlag.Name) == "") {
+		return nil, fmt.Errorf("%s and %s are required if %s is > 0", flags.EcdsaKeyFileFlag.Name, flags.EcdsaKeyPasswordFlag.Name, flags.PubIPCheckIntervalFlag.Name)
+	}
+
 	var ethClientConfig geth.EthClientConfig
 	if !testMode {
-		keyContents, err := os.ReadFile(ctx.GlobalString(flags.EcdsaKeyFileFlag.Name))
-		if err != nil {
-			return nil, fmt.Errorf("could not read ECDSA key file: %v", err)
-		}
-		sk, err := keystore.DecryptKey(keyContents, ctx.GlobalString(flags.EcdsaKeyPasswordFlag.Name))
-		if err != nil {
-			return nil, fmt.Errorf("could not decrypt the ECDSA file: %s", ctx.GlobalString(flags.EcdsaKeyFileFlag.Name))
-		}
 		ethClientConfig = geth.ReadEthClientConfigRPCOnly(ctx)
-		ethClientConfig.PrivateKeyString = fmt.Sprintf("%x", crypto.FromECDSA(sk.PrivateKey))
+		if needECDSAKey {
+			// Decrypt ECDSA key
+			keyContents, err := os.ReadFile(ctx.GlobalString(flags.EcdsaKeyFileFlag.Name))
+			if err != nil {
+				return nil, fmt.Errorf("could not read ECDSA key file: %v", err)
+			}
+			sk, err := keystore.DecryptKey(keyContents, ctx.GlobalString(flags.EcdsaKeyPasswordFlag.Name))
+			if err != nil {
+				return nil, fmt.Errorf("could not decrypt the ECDSA file: %s", ctx.GlobalString(flags.EcdsaKeyFileFlag.Name))
+			}
+			ethClientConfig.PrivateKeyString = fmt.Sprintf("%x", crypto.FromECDSA(sk.PrivateKey))
+		}
 	} else {
 		ethClientConfig = geth.ReadEthClientConfig(ctx)
 	}
@@ -155,7 +168,7 @@ func NewConfig(ctx *cli.Context) (*Config, error) {
 		EnableMetrics:                 ctx.GlobalBool(flags.EnableMetricsFlag.Name),
 		MetricsPort:                   ctx.GlobalString(flags.MetricsPortFlag.Name),
 		Timeout:                       timeout,
-		RegisterNodeAtStart:           ctx.GlobalBool(flags.RegisterAtNodeStartFlag.Name),
+		RegisterNodeAtStart:           registerNodeAtStart,
 		ExpirationPollIntervalSec:     expirationPollIntervalSec,
 		EnableTestMode:                testMode,
 		OverrideBlockStaleMeasure:     ctx.GlobalInt64(flags.OverrideBlockStaleMeasureFlag.Name),
@@ -169,7 +182,7 @@ func NewConfig(ctx *cli.Context) (*Config, error) {
 		BLSOperatorStateRetrieverAddr: ctx.GlobalString(flags.BlsOperatorStateRetrieverFlag.Name),
 		EigenDAServiceManagerAddr:     ctx.GlobalString(flags.EigenDAServiceManagerFlag.Name),
 		PubIPProvider:                 ctx.GlobalString(flags.PubIPProviderFlag.Name),
-		PubIPCheckInterval:            ctx.GlobalDuration(flags.PubIPCheckIntervalFlag.Name),
+		PubIPCheckInterval:            pubIPCheckInterval,
 		ChurnerUrl:                    ctx.GlobalString(flags.ChurnerUrlFlag.Name),
 		NumBatchValidators:            ctx.GlobalInt(flags.NumBatchValidatorsFlag.Name),
 		ClientIPHeader:                ctx.GlobalString(flags.ClientIPHeaderFlag.Name),
diff --git a/node/flags/flags.go b/node/flags/flags.go
index 20e6388132..7da53f6867 100644
--- a/node/flags/flags.go
+++ b/node/flags/flags.go
@@ -100,7 +100,7 @@ var (
 	}
 	EcdsaKeyFileFlag = cli.StringFlag{
 		Name:     common.PrefixFlag(FlagPrefix, "ecdsa-key-file"),
-		Required: true,
+		Required: false,
 		Usage:    "Path to the encrypted ecdsa private key",
 		EnvVar:   common.PrefixEnvVar(EnvVarPrefix, "ECDSA_KEY_FILE"),
 	}
@@ -113,7 +113,7 @@ var (
 	}
 	EcdsaKeyPasswordFlag = cli.StringFlag{
 		Name:     common.PrefixFlag(FlagPrefix, "ecdsa-key-password"),
-		Required: true,
+		Required: false,
 		Usage:    "Password to decrypt ecdsa private key",
 		EnvVar:   common.PrefixEnvVar(EnvVarPrefix, "ECDSA_KEY_PASSWORD"),
 	}
@@ -244,9 +244,7 @@ var requiredFlags = []cli.Flag{
 	QuorumIDListFlag,
 	DbPathFlag,
 	BlsKeyFileFlag,
-	EcdsaKeyFileFlag,
 	BlsKeyPasswordFlag,
-	EcdsaKeyPasswordFlag,
 	BlsOperatorStateRetrieverFlag,
 	EigenDAServiceManagerFlag,
 	PubIPProviderFlag,
@@ -266,6 +264,8 @@ var optionalFlags = []cli.Flag{
 	InternalRetrievalPortFlag,
 	ClientIPHeaderFlag,
 	ChurnerUseSecureGRPC,
+	EcdsaKeyFileFlag,
+	EcdsaKeyPasswordFlag,
 }
 
 func init() {