diff --git a/pkg/server/image_pull.go b/pkg/server/image_pull.go
index d753f263e..c5863ce84 100644
--- a/pkg/server/image_pull.go
+++ b/pkg/server/image_pull.go
@@ -119,11 +119,7 @@ func (c *criService) PullImage(ctx context.Context, r *runtime.PullImageRequest)
 		containerd.WithImageHandler(imageHandler),
 	}
 
-	if c.config.EncryptedImagesConfig.KeyModel == criconfig.EncryptionKeyModelNode {
-		ltdd := imgcrypt.Payload{}
-		decUnpackOpt := encryption.WithUnpackConfigApplyOpts(encryption.WithDecryptedUnpack(&ltdd))
-		pullOpts = append(pullOpts, encryption.WithUnpackOpts([]containerd.UnpackOpt{decUnpackOpt}))
-	}
+	pullOpts = append(pullOpts, c.encryptedImagesPullOpts()...)
 
 	image, err := c.client.Pull(ctx, ref, pullOpts...)
 	if err != nil {
@@ -414,3 +410,15 @@ func newTransport() *http.Transport {
 		ExpectContinueTimeout: 5 * time.Second,
 	}
 }
+
+// addEncryptedImagesPullOpts adds the necessary pull options to a list of
+// pull options if enabled.
+func (c *criService) encryptedImagesPullOpts() []containerd.RemoteOpt {
+	if c.config.EncryptedImagesConfig.KeyModel == criconfig.EncryptionKeyModelNode {
+		ltdd := imgcrypt.Payload{}
+		decUnpackOpt := encryption.WithUnpackConfigApplyOpts(encryption.WithDecryptedUnpack(&ltdd))
+		opt := containerd.WithUnpackOpts([]containerd.UnpackOpt{decUnpackOpt})
+		return []containerd.RemoteOpt{opt}
+	}
+	return nil
+}
diff --git a/pkg/server/image_pull_test.go b/pkg/server/image_pull_test.go
index 4e79edbf4..95c920efc 100644
--- a/pkg/server/image_pull_test.go
+++ b/pkg/server/image_pull_test.go
@@ -288,3 +288,25 @@ func TestDefaultScheme(t *testing.T) {
 		assert.Equal(t, test.expected, got)
 	}
 }
+
+func TestEncryptedImagePullOpts(t *testing.T) {
+	for desc, test := range map[string]struct {
+		keyModel     string
+		expectedOpts int
+	}{
+		"node key model should return one unpack opt": {
+			keyModel:     criconfig.EncryptionKeyModelNode,
+			expectedOpts: 1,
+		},
+		"no key model selected should not add any opts": {
+			keyModel:     "",
+			expectedOpts: 0,
+		},
+	} {
+		t.Logf("TestCase %q", desc)
+		c := newTestCRIService()
+		c.config.EncryptedImagesConfig.KeyModel = test.keyModel
+		got := len(c.encryptedImagesPullOpts())
+		assert.Equal(t, test.expectedOpts, got)
+	}
+}