Its an aspectization of the JaasSecurityDomain.encode/decode operations, applied to one or more bean properties. How the cipher/parameters for the attribute encryption are integrated into the aspect metadata is one issue.
Before the hitting the write aspect of an encrypted property its clear-text, after its encrypted and this is what is stored in the bean. Likewise, before hitting the read aspect of an encrypted property its encrypted, clear-text after.
The aspect also needs to be applied to metadata sources of the property if were worried about those being saved as can be the case for the profile service.