FreeBSD 15.0 shipped on December 2, 2025, and it is the most consequential release since the 10.x series. The base system is now fully manageable through pkg (pkgbase), OpenSSL 3.5 brings post-quantum cryptography to every connection, and OpenSSH 10 uses quantum-resistant key exchange by default. These are not theoretical features sitting in a config flag. They are production-ready and enabled out of the box.
This article demonstrates the major FreeBSD 15.0 new features with hands-on examples tested on a real system. Every command and output shown here was captured on a FreeBSD 15.0-RELEASE amd64 machine running on Proxmox VE with ZFS 2.4.0. Where features are architectural (like 32-bit platform retirement), we explain the practical impact instead of just listing the changelog.
Tested March 2026 | FreeBSD 15.0-RELEASE amd64, OpenSSL 3.5.4, OpenSSH 10.0p2, ZFS 2.4.0-rc4
What Changed in FreeBSD 15.0
Here is a high-level overview of the major changes before we dive into demos:
| Feature | What’s New | Impact |
|---|---|---|
| pkgbase | 310 base system packages manageable via pkg | No more freebsd-update, granular base management |
| OpenSSL 3.5.4 | ML-KEM and ML-DSA post-quantum algorithms | Quantum-resistant TLS available now |
| OpenSSH 10.0p2 | mlkem768x25519-sha256 default key exchange | SSH connections are quantum-safe by default |
| ZFS 2.4.0 | Block cloning, improved performance | Instant file copies on ZFS, lower I/O |
| Jails | File descriptor-based jail operations, service jails | Race-free jail management, easy daemon isolation |
| Linux inotify | Native inotify implementation | Better Linux binary compatibility |
| 32-bit retirement | i386, armv6, 32-bit PowerPC dropped | Cleaner codebase, 32-bit apps still run on amd64 |
| Nanosecond timestamps | date supports %N format | Precise timing in scripts |
| USB HID | usbhid replaces ukbd/ums as default | Better device support out of the box |
| MIT Kerberos | Replaces Heimdal | Better interoperability with Linux/AD environments |
Full details are in the official FreeBSD 15.0 release announcement and release notes.
pkgbase: Manage the Entire Base System with pkg
This is the headline feature of FreeBSD 15.0. The entire base system (kernel, libraries, utilities, everything that ships with FreeBSD) is now split into approximately 310 individual packages. You manage them with the same pkg tool used for third-party software. No more running freebsd-update fetch install and hoping nothing breaks.
List all installed base packages:
pkg query -a '%n %v' | grep '^FreeBSD-' | head -20FreeBSD-acct 15.0
FreeBSD-acpi 15.0
FreeBSD-at 15.0
FreeBSD-atf 15.0
FreeBSD-audit 15.0
FreeBSD-autofs 15.0
FreeBSD-bhyve 15.0
FreeBSD-blocklist 15.0
FreeBSD-bluetooth 15.0
FreeBSD-bmake 15.0
FreeBSD-bootloader 15.0
FreeBSD-bsdconfig 15.0
FreeBSD-bsdinstall 15.0
FreeBSD-bsnmp 15.0
FreeBSD-caroot 15.0
FreeBSD-certctl 15.0
FreeBSD-clibs 15.0
FreeBSD-csh 15.0
FreeBSD-devd 15.0
FreeBSD-devmatch 15.0Count the total:
pkg query -a '%n' | grep '^FreeBSD-' | wc -l 310You can inspect any base package just like a ports package:
pkg info FreeBSD-sshFreeBSD-ssh-15.0
Name : FreeBSD-ssh
Version : 15.0
Installed on : Tue Mar 24 11:18:11 2026 UTC
Origin : base/FreeBSD-ssh
Architecture : FreeBSD:15:amd64
Prefix : /
Categories : base
Licenses : ISCL
Maintainer : [email protected]Enable pkgbase Updates
The base package repository is disabled by default. Enable it:
mkdir -p /usr/local/etc/pkg/repos
echo 'FreeBSD-base: { enabled: yes }' > /usr/local/etc/pkg/repos/FreeBSD-base.confCheck for base system updates:
pkg update -r FreeBSD-baseUpdating FreeBSD-base repository catalogue...
FreeBSD-base repository is up to date.
FreeBSD-base is up to date.When security patches land, updating the base is just pkg upgrade. You can even lock specific base packages with pkg lock FreeBSD-kernel if you need to hold back a kernel update while patching userland.
Post-Quantum Cryptography with OpenSSL 3.5
FreeBSD 15.0 ships OpenSSL 3.5.4 LTS with full support for NIST post-quantum cryptographic standards: ML-KEM (formerly CRYSTALS-Kyber) for key encapsulation and ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures. These algorithms resist attacks from quantum computers.
openssl versionOpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025)Available Post-Quantum Algorithms
List the key encapsulation mechanisms (KEM):
openssl list -kem-algorithms SecP384r1MLKEM1024 @ default
{ 1.3.101.110, X25519 } @ default
{ 1.3.101.111, X448 } @ default
{ 2.16.840.1.101.3.4.4.1, id-alg-ml-kem-512, ML-KEM-512, MLKEM512 } @ default
{ 2.16.840.1.101.3.4.4.2, id-alg-ml-kem-768, ML-KEM-768, MLKEM768 } @ default
{ 2.16.840.1.101.3.4.4.3, id-alg-ml-kem-1024, ML-KEM-1024, MLKEM1024 } @ default
X25519MLKEM768 @ default
X448MLKEM1024 @ default
SecP256r1MLKEM768 @ defaultThe hybrid algorithms (like X25519MLKEM768) combine classical and post-quantum key exchange, so even if ML-KEM turns out to have a weakness, the X25519 component still provides security.
Demo: Sign and Verify with ML-DSA-65
Generate an ML-DSA-65 key pair (quantum-resistant digital signatures):
openssl genpkey -algorithm ML-DSA-65 -out /tmp/mldsa65.key
openssl pkey -in /tmp/mldsa65.key -pubout -out /tmp/mldsa65.pubThe key sizes are significantly larger than RSA or Ed25519 because lattice-based algorithms need bigger keys to achieve quantum resistance:
ls -la /tmp/mldsa65.*-rw------- 1 root wheel 5604 Mar 25 01:21 /tmp/mldsa65.key
-rw-r--r-- 1 root wheel 2726 Mar 25 01:21 /tmp/mldsa65.pubSign a message and verify the signature:
echo 'Hello FreeBSD 15 with post-quantum crypto' > /tmp/message.txt
openssl pkeyutl -sign -inkey /tmp/mldsa65.key -in /tmp/message.txt -out /tmp/message.sig
openssl pkeyutl -verify -pubin -inkey /tmp/mldsa65.pub -in /tmp/message.txt -sigfile /tmp/message.sigSignature Verified SuccessfullyML-KEM key generation works the same way:
openssl genpkey -algorithm ML-KEM-768 -out /tmp/mlkem768.key
openssl pkey -in /tmp/mlkem768.key -pubout -out /tmp/mlkem768.pub
openssl pkey -in /tmp/mlkem768.key -text -noout | head -3ML-KEM-768 Private-Key:
seed:
a1:4a:bb:13:9f:f0:1f:57:cf:42:63:ea:28:a0:d4:OpenSSH 10: Quantum-Safe by Default
OpenSSH 10.0p2 in FreeBSD 15.0 changed the default key exchange algorithm to mlkem768x25519-sha256, a hybrid post-quantum algorithm. Every SSH connection on a fresh FreeBSD 15 install uses quantum-resistant key exchange without any configuration changes.
ssh -VOpenSSH_10.0p2, OpenSSL 3.5.4 30 Sep 2025Check the actual key exchange order used by sshd:
sshd -T | grep kexalgorithmskexalgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,[email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521mlkem768x25519-sha256 is the first algorithm in the list, which means it is the preferred choice. The fallback chain still includes classical algorithms for compatibility with older clients.
OpenSSH 10 also adds automatic keystroke timing obfuscation. When you type in an SSH terminal, the timing between keystrokes can leak information about what you are typing. OpenSSH 10 adds random padding to the timing, making keystroke analysis impractical. This is enabled by default with no configuration required.
ZFS 2.4: Block Cloning and Performance
FreeBSD 15.0 ships ZFS 2.4.0 with block cloning enabled by default. When you copy a file on ZFS, the filesystem can reference the same blocks instead of physically duplicating data, similar to how ZFS clones work at the dataset level but applied to individual files.
zfs versionzfs-2.4.0-rc4-FreeBSD_g099f69ff5
zfs-kmod-2.4.0-rc4-FreeBSD_g099f69ff5Verify block cloning is active on your pool:
zpool get feature@block_cloning zrootNAME PROPERTY VALUE SOURCE
zroot feature@block_cloning active localBlock cloning works transparently through the copy_file_range() syscall. FreeBSD’s cp command uses this syscall automatically. Check the block clone statistics:
zpool get bclonesaved,bcloneused,bcloneratio zrootNAME PROPERTY VALUE SOURCE
zroot bclonesaved 100K -
zroot bcloneused 100K -
zroot bcloneratio 2.00x -The bcloneratio of 2.00x means ZFS is referencing blocks instead of duplicating them, effectively halving the physical space used for copied data. This is particularly useful for jail deployments where multiple jails share similar base files.
Jail Improvements in FreeBSD 15
Jails received two significant upgrades in 15.0.
File Descriptor-Based Jail Operations
Previous FreeBSD versions identified jails by integer JIDs, which created race conditions in scripts: a jail could be destroyed and recreated with the same JID between the time you looked it up and the time you acted on it. FreeBSD 15 adds jail_set() and jail_get() operations via file descriptors, plus new syscalls jail_attach_jd() and jail_remove_jd(). Kevent filters can now track jail lifecycle events (creation, changes, attachment, removal).
Service Jails
Service jails let you confine individual daemons inside jails with minimal configuration. Instead of building a full jail with a separate filesystem, a service jail shares the host’s filesystem and isolates only the process. This is configured directly in rc.conf:
sysrc nginx_svcj="YES"That single line runs Nginx inside a jail the next time the service starts. Service jails are ideal for quick isolation of internet-facing daemons without the overhead of managing separate jail filesystems.
For full VNET jail networking with bridge and epair interfaces, see our FreeBSD Jails VNET networking guide.
Nanosecond Precision in date
The date command now supports the %N format specifier for nanosecond precision. This matters for log correlation, benchmarking, and any script that needs sub-second timing:
date '+%Y-%m-%d %H:%M:%S.%N'2026-03-25 01:21:15.266045940Unix epoch with nanoseconds:
date '+%s.%N'1774401675.266958911On FreeBSD 14 and earlier, %N produced literal N because the feature did not exist.
Linux Compatibility: Native inotify
FreeBSD’s Linux compatibility layer (Linuxulator) now includes a native implementation of the inotify API. Linux applications that monitor filesystem changes using inotify can now run on FreeBSD without workarounds or patches.
Load the Linux compatibility module:
kldload linux64
sysctl compat.linux.osreleasecompat.linux.osrelease: 5.15.0The Linuxulator reports as Linux kernel 5.15.0 to applications. This is enough for most Linux binaries that check for minimum kernel versions, and the native inotify support means tools like inotifywait and Node.js file watchers work correctly under the compatibility layer.
USB HID as the Default Input Driver
FreeBSD 15 enables the usbhid driver by default, replacing the older ukbd (keyboard), ums (mouse), and uhid (generic HID) drivers. The new driver handles USB keyboards, mice, touchpads, game controllers, digitizers, and compound devices through a single unified stack.
sysctl hw.usb.usbhid.enablehw.usb.usbhid.enable: 1If you have custom configurations referencing ukbd or ums in /boot/loader.conf, those still work but are now redundant on fresh 15.0 installs.
32-Bit Platform Retirement
FreeBSD 15 drops support for i386, armv6, and 32-bit PowerPC as hardware platforms. The armv7 platform remains as the last supported 32-bit architecture. Critically, 32-bit application support continues on amd64 through the compatibility layer:
sysctl kern.features.compat_freebsd_32bitkern.features.compat_freebsd_32bit: 1Existing 32-bit applications and libraries still run on FreeBSD 15 amd64. What changed is that FreeBSD no longer builds or ships installation media for 32-bit only hardware.
Other Notable Changes
Kerberos Migration to MIT
FreeBSD 15 ships MIT Kerberos 1.22.1, replacing the Heimdal 1.5.2 implementation that FreeBSD has used for decades. MIT Kerberos has better interoperability with Active Directory and Linux environments. Heimdal will be fully removed in FreeBSD 16.
NVMe over Fabrics
FreeBSD 15 adds NVMe over Fabrics (NVMe-oF) support via TCP transport. Remote NVMe controllers can be accessed as if they were locally attached, with export support through the CAM target layer. This enables disaggregated storage architectures where compute and storage nodes communicate over standard Ethernet.
Networking Improvements
- NFSv4.2 Clone operation for copy-on-write file operations on ZFS (server-side file copies without data transfer)
- iwx driver for Intel Wi-Fi 6 M.2 adapters, plus stability fixes to
iwlwifi - ice driver for Intel E800 series 100Gb/s Ethernet controllers
- NFS privileged port enforcement is now on by default (
nfs_reserved_port_only)
Deprecated and Removed Features
| Item | Status | Alternative |
|---|---|---|
ftpd | Removed | Use vsftpd or sftp from ports |
fdisk | Deprecated (shows migration warning) | Use gpart |
| GEOM Vinum | Removed | Use ZFS or GEOM mirror/stripe |
agp driver | Deprecated for removal in 16.0 | Modern GPUs don’t use AGP |
firewire driver | Deprecated for removal in 16.0 | USB/Thunderbolt |
readdir_r() | Deprecated with compile-time warnings | Use readdir() (thread-safe in FreeBSD) |
FreeBSD 15 Support Timeline
FreeBSD has moved to a new release cadence with quarterly point releases:
- FreeBSD 15.0: released December 2, 2025, supported until September 30, 2026
- FreeBSD 15.1: scheduled for June 2026
- FreeBSD 15.2: scheduled for December 2026
- 15.x series end-of-life: December 31, 2029
The 15.x series will receive security updates for four years. Point releases bring new features, while the major version (15) guarantees ABI compatibility across all point releases.
Upgrading from FreeBSD 14
If you are running FreeBSD 14, upgrading to 15.0 is straightforward using freebsd-update (the last time you will need it). After upgrading, pkgbase takes over for future updates:
freebsd-update -r 15.0-RELEASE upgrade
freebsd-update install
reboot
freebsd-update installAfter the upgrade, enable the pkgbase repository and switch to pkg upgrade for all future base system updates. Our FreeBSD 14 to 15 upgrade guide covers the complete process including gotchas like the Heimdal to MIT Kerberos migration.
For fresh installations, see our FreeBSD 15 installation guide on KVM and Proxmox which covers the entire installer, ZFS setup, and post-install configuration.
