Are new devices all flashed from the same image? Then as far as I understand all phones will use the same encryption keys, even if the passphrase is changed later on 
This has been discussed for example here but I did not find any note from Purism (employees) how this problem will be tackled. 