Manjaro ecryptfs - Auto rewrap passphrase

I had problems getting password changes to rewrap the passphrase. This now seems to work, after I made changes (guessed) to /etc/pam.d/passwd

In /etc/pam.d/system-auth: (as described on wiki's elsewhere)

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       [default=die]               pam_faillock.so      authfail

auth [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet
auth    required    pam_ecryptfs.so unwrap

auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

password   optional                    pam_ecryptfs.so
-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so

session    required                    pam_limits.so
session    required                    pam_unix.so
session [success=1 default=ignore]     pam_succeed_if.so service = systemd-user quiet
session    optional                    pam_ecryptfs.so unwrap
session    optional                    pam_permit.so
/etc/pam.d/system-auth

In /etc/pam.d/passwd - This appears to handle rewrapping the wrapped passphrase when you change your user password. I had problems changing the root password had to disable the line for root users.

#%PAM-1.0
#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password	required	pam_unix.so sha512 shadow use_authtok
password	required	pam_unix.so sha512 shadow nullok
password [success=1   default=ignore] pam_succeed_if.so uid = 0 quiet 
password required pam_ecryptfs.so unwrap


/etc/pam.d/passwd