I've actually gotten to the bottom of this. I had two issues:
1) I moved the password optional ecryptfs.so line BELOW the pam_unix.so line (despite what https://wiki.archlinux.org/index.php/ECryptfs says)
2) I realized that the password rewrapper looks for the wrapped-passphrase in /home/user/.ecryptfs rather than /home/.ecryptfs/user/.ecryptfs -- when I made the former a symlink to the latter, rewrapping started working.
I've actually gotten to the bottom of this. I had two issues:
1) I moved the password optional ecryptfs.so line BELOW the pam_unix.so line (despite what https:/ /wiki.archlinux .org/index. php/ECryptfs says)
2) I realized that the password rewrapper looks for the wrapped-passphrase in /home/user/ .ecryptfs rather than /home/. ecryptfs/ user/.ecryptfs -- when I made the former a symlink to the latter, rewrapping started working.