There's something else I don't understand (from your blog)
"It handles your password changing just fine. Basically, your login passphrase and your mount passphrase are two different entities. The mount passphrase is "wrapped" or encrypted using your login passphrase. When you login to the system, your login passphrase is then used to "unwrap" or decrypt your mount passphrase, and then perform the mount. If you change your login passphrase, pam_ecryptfs simply unwraps, and then re-wraps your mount passphrase. That way, we don't have to go through the excruciating process of re-encrypting every file."
So what's to stop an attacker from walking up to your computer, and booting in recovery mode to a root shell and changing your login passphrase?
Maybe I'm just not getting it. "Magic" is right, I've been using encryption for over a decade now, but this process is baffling.