How PAM stores the user passwords for PAM local login and target accounts?

Local PAM login user passwords are not stored in PAM. A SHA-512 hash is stored in the DB.
When a user login to PAM using a PAM local account, the password given is hashed and compared to the stored value.
You cannot reverse the process and get the clear-text password for login users. A PAM administrator would not be able to retrieve the current password of a local user. The admin only can reset the password. This is similar to how other credential sources work, such as Active Directory.

Passwords for target accounts used to connect to end-points must be known to PAM in clear text when opening an access session with automated login.
The account passwords are stored encrypted using AES-256 with a key unique to the cluster. Different clusters will use different key encryption keys.

Encryption/decryption of target account passwords requires data stored in the database and on disk. It is not possible to decrypt passwords after loading a database backup on a PAM server that had never been clustered with the node the backup came from.