I had problems getting password changes to rewrap the passphrase. This now seems to work, after I made changes (guessed) to /etc/pam.d/passwd
In /etc/pam.d/system-auth: (as described on wiki's elsewhere)
In /etc/pam.d/passwd - This appears to handle rewrapping the wrapped passphrase when you change your user password. I had problems changing the root password had to disable the line for root users.