Heungjae,
Masking is accomplished through an Extract-Transform-Load process. We read from the table(s) to be masked, modify the data in memory on the masking engine, and then update the data in the database. Thus, the data at rest is not decrypted. We use the same methods to access the data as any application would, specifically SQL over a JDBC connection.
Thank you for your question,
Michael