Manjaro ecryptfs - Auto rewrap passphrase

I had problems getting password changes to rewrap the passphrase. This now seems to work, after I made changes (guessed) to /etc/pam.d/passwd

In /etc/pam.d/system-auth: (as described on wiki's elsewhere)


auth       required                preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=2 default=ignore]          try_first_pass nullok
-auth      [success=1 default=ignore]
auth       [default=die]           authfail

auth [success=1 default=ignore] service = systemd-user quiet
auth    required unwrap

auth       optional          
auth       required          
auth       required                authsucc
# If you drop the above call to the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]
account    required          
account    optional          
account    required          

password   optional          
-password  [success=1 default=ignore]
password   required                    try_first_pass nullok shadow
password   optional          

session    required          
session    required          
session [success=1 default=ignore] service = systemd-user quiet
session    optional           unwrap
session    optional          

In /etc/pam.d/passwd - This appears to handle rewrapping the wrapped passphrase when you change your user password. I had problems changing the root password had to disable the line for root users.

#password	required difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password	required sha512 shadow use_authtok
password	required sha512 shadow nullok
password [success=1   default=ignore] uid = 0 quiet 
password required unwrap