Content Provider provides the plain data to BMSC server and it is the BMSC responsibility to encrypt the data before forwarding to the MBMS-GW. BMSC uses MTK (Multicast Traffic Key) to encrypt the service specific data. The key is distributed as part of content itself using the MSK to protect it. MSK (MBMS service key) is shared by BMSC to UE using the MUK to protect it.
MUK (MBMS User Key) and MRK (MBMS Request Key) is generated at BMSC and UE from the shared secret key stored in HSS.