Secure communication in OPC UA PubSub model works differently from the Client-Server model. The differences are due to the fact that the PubSub communication is generally not a "channel" with just two ends and limited to two communication parties, but is usually of multicast or broadcast nature (although unicast is possible as well).
In OPC UA PubSub, publishers and subscribers (or, better said, senders and receivers) use a common Security Key Service (SKS) that provides them with keys for message security. The keys have limited lifetime. The Security Key Service is accessed through "traditional" OPC UA Client-Server model and resides in an OPC UA Server; it can be integrated with a PubSub application (a publisher, for example), or standalone. The Security Key Service does not have to be available all the time. The OPC UA specification has features that allow the PubSub applications to pre-fetch future keys, and the whole infrastructure is thus, to certain extent, resilient to problems that affect the Security Key Service or connection to it.
The Security Key Service manages the keys separately for each so-called Security Group. Security groups are identified by security group Ids. With multiple security groups, the Security Key Service can address different communication needs inside the PubSub solution, and also separately allow or deny the keys to the applications that request them. In combination with OPC UA Client-Server features for securely identifying the applications and users, this gives the Security Key Service the ability to control the access to the PubSub data with fine granularity.