Once eNodeB receives Initial Context Setup Request message from the MME, eNodeB enable Access stratum security with the UE. To do so, eNodeB executes Initial Security Activation Procedure.
As part of Initial security activation procedure, eNodeB sends Security Mode Command message to UE with the selected security algorithms (one for integrity and another for ciphering). Security mode command message is just integrity projected not ciphered.
When UE receives the Security Mode Command message from the eNodeB, it generates the KrrcInt, KrrcEnc, KUpenc keys based on the algorithms sent by eNodeB. Once it is done, eNodeB sends Security mode complete message to eNodeB. Security mode complete message is integrity protected as well as ciphered.
For the key derivation related information, please refer 33.401.