{"id":164434,"date":"2026-03-25T12:16:56","date_gmt":"2026-03-25T09:16:56","guid":{"rendered":"https:\/\/computingforgeeks.com\/freebsd-15-new-features\/"},"modified":"2026-03-25T12:16:57","modified_gmt":"2026-03-25T09:16:57","slug":"freebsd-15-new-features","status":"publish","type":"post","link":"https:\/\/computingforgeeks.com\/freebsd-15-new-features\/","title":{"rendered":"FreeBSD 15.0 New Features: pkgbase, Post-Quantum Crypto, ZFS 2.4"},"content":{"rendered":"\n

FreeBSD 15.0 landed on December 2, 2025, and it changes how you manage the entire operating system. The base system is now a collection of 310 individual packages managed through pkg<\/code>, the same tool you already use for ports. No more freebsd-update<\/code>. Alongside that, OpenSSL 3.5 ships with quantum-resistant cryptography, and OpenSSH 10 defaults to post-quantum key exchange on every connection.<\/p>\n\n\n\n

We tested every feature shown here on a real FreeBSD 15.0-RELEASE amd64 machine running on Proxmox VE with ZFS 2.4.0. The commands, output, and version numbers are all captured from that system. For features that are architectural (like 32-bit platform retirement), we focus on what it means for your existing workloads rather than just listing the changelog. If you need to install FreeBSD 15 on KVM or Proxmox<\/a> first, that guide covers the full installer walkthrough.<\/p>\n\n\n\n

Tested March 2026<\/strong> | FreeBSD 15.0-RELEASE amd64, OpenSSL 3.5.4, OpenSSH 10.0p2, ZFS 2.4.0-rc4<\/em><\/p>\n\n\n\n

What Changed in FreeBSD 15.0<\/h2>\n\n\n\n

Here is the full picture before we get into the demos:<\/p>\n\n\n\n

Feature<\/th>What’s New<\/th>Impact<\/th><\/tr><\/thead>
pkgbase<\/td>310 base system packages manageable via pkg<\/code><\/td>No more freebsd-update<\/code>, granular base management<\/td><\/tr>
OpenSSL 3.5.4<\/td>ML-KEM and ML-DSA post-quantum algorithms<\/td>Quantum-resistant TLS available now<\/td><\/tr>
OpenSSH 10.0p2<\/td>mlkem768x25519-sha256 default key exchange<\/td>SSH connections are quantum-safe by default<\/td><\/tr>
ZFS 2.4.0<\/td>Block cloning, improved performance<\/td>Instant file copies on ZFS, lower I\/O<\/td><\/tr>
Jails<\/td>File descriptor-based jail operations, service jails<\/td>Race-free jail management, easy daemon isolation<\/td><\/tr>
Linux inotify<\/td>Native inotify implementation<\/td>Better Linux binary compatibility<\/td><\/tr>
32-bit retirement<\/td>i386, armv6, 32-bit PowerPC dropped<\/td>Cleaner codebase, 32-bit apps still run on amd64<\/td><\/tr>
Nanosecond timestamps<\/td>date<\/code> supports %N<\/code> format<\/td>Precise timing in scripts<\/td><\/tr>
USB HID<\/td>usbhid<\/code> replaces ukbd<\/code>\/ums<\/code> as default<\/td>Better device support out of the box<\/td><\/tr>
MIT Kerberos<\/td>Replaces Heimdal<\/td>Better interoperability with Linux\/AD environments<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Full details are in the official FreeBSD 15.0 release announcement<\/a> and release notes<\/a>.<\/p>\n\n\n\n

pkgbase: Manage the Entire Base System with pkg<\/h2>\n\n\n\n

This is the headline feature. The entire base system (kernel, libraries, utilities, everything that ships with FreeBSD) is now split into approximately 310 individual packages. You manage them with the same pkg<\/code> tool used for third-party software. No more running freebsd-update fetch install<\/code> and hoping nothing breaks.<\/p>\n\n\n\n

Query the installed base packages:<\/p>\n\n\n\n

pkg query -a '%n %v' | grep '^FreeBSD-' | head -20<\/code><\/pre>\n\n\n\n
Every base component shows up as an individual package with its own version:<\/p>\n\n\n\n
FreeBSD-acct 15.0\nFreeBSD-acpi 15.0\nFreeBSD-at 15.0\nFreeBSD-atf 15.0\nFreeBSD-audit 15.0\nFreeBSD-autofs 15.0\nFreeBSD-bhyve 15.0\nFreeBSD-blocklist 15.0\nFreeBSD-bluetooth 15.0\nFreeBSD-bmake 15.0\nFreeBSD-bootloader 15.0\nFreeBSD-bsdconfig 15.0\nFreeBSD-bsdinstall 15.0\nFreeBSD-bsnmp 15.0\nFreeBSD-caroot 15.0\nFreeBSD-certctl 15.0\nFreeBSD-clibs 15.0\nFreeBSD-csh 15.0\nFreeBSD-devd 15.0\nFreeBSD-devmatch 15.0<\/code><\/pre>\n\n\n\n
The total count on a fresh 15.0 install:<\/p>\n\n\n\n
pkg query -a '%n' | grep '^FreeBSD-' | wc -l<\/code><\/pre>\n\n\n\n
310 base packages. You can inspect any of them like you would a ports package:<\/p>\n\n\n\n
pkg info FreeBSD-ssh<\/code><\/pre>\n\n\n\n
The SSH package metadata shows origin, license, and install date:<\/p>\n\n\n\n
FreeBSD-ssh-15.0\nName           : FreeBSD-ssh\nVersion        : 15.0\nInstalled on   : Tue Mar 24 11:18:11 2026 UTC\nOrigin         : base\/FreeBSD-ssh\nArchitecture   : FreeBSD:15:amd64\nPrefix         : \/\nCategories     : base\nLicenses       : ISCL\nMaintainer     : re@FreeBSD.org<\/code><\/pre>\n\n\n\n
Enable pkgbase Updates<\/h3>\n\n\n\n
The base package repository is disabled by default. Enable it with a one-liner:<\/p>\n\n\n\n
mkdir -p \/usr\/local\/etc\/pkg\/repos\necho 'FreeBSD-base: { enabled: yes }' > \/usr\/local\/etc\/pkg\/repos\/FreeBSD-base.conf<\/code><\/pre>\n\n\n\n
Now check for base system updates:<\/p>\n\n\n\n
pkg update -r FreeBSD-base<\/code><\/pre>\n\n\n\n
On our freshly installed system, everything is current:<\/p>\n\n\n\n
Updating FreeBSD-base repository catalogue...\nFreeBSD-base repository is up to date.\nFreeBSD-base is up to date.<\/code><\/pre>\n\n\n\n
When security patches land, updating the base is just pkg upgrade<\/code>. You can even lock specific base packages with pkg lock FreeBSD-kernel<\/code> if you need to hold back a kernel update while patching userland.<\/p>\n\n\n\n
Post-Quantum Cryptography with OpenSSL 3.5<\/h2>\n\n\n\n
FreeBSD 15.0 ships OpenSSL 3.5.4 LTS with full support for the NIST post-quantum cryptographic standards: ML-KEM (formerly CRYSTALS-Kyber) for key encapsulation and ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures. These algorithms resist attacks from quantum computers, and they are not behind a feature flag. They are compiled in and ready to use.<\/p>\n\n\n\n
Verify the version:<\/p>\n\n\n\n
openssl version<\/code><\/pre>\n\n\n\n
Confirmed as 3.5.4 LTS:<\/p>\n\n\n\n
OpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025)<\/code><\/pre>\n\n\n\n
What post-quantum algorithms are available?<\/h3>\n\n\n\n
Three security levels of ML-KEM and ML-DSA ship out of the box, plus hybrid algorithms that combine classical and post-quantum key exchange. List the KEM algorithms:<\/p>\n\n\n\n
openssl list -kem-algorithms<\/code><\/pre>\n\n\n\n
The output shows pure ML-KEM at three security levels and several hybrid options:<\/p>\n\n\n\n
  SecP384r1MLKEM1024 @ default\n  { 1.3.101.110, X25519 } @ default\n  { 1.3.101.111, X448 } @ default\n  { 2.16.840.1.101.3.4.4.1, id-alg-ml-kem-512, ML-KEM-512, MLKEM512 } @ default\n  { 2.16.840.1.101.3.4.4.2, id-alg-ml-kem-768, ML-KEM-768, MLKEM768 } @ default\n  { 2.16.840.1.101.3.4.4.3, id-alg-ml-kem-1024, ML-KEM-1024, MLKEM1024 } @ default\n  X25519MLKEM768 @ default\n  X448MLKEM1024 @ default\n  SecP256r1MLKEM768 @ default<\/code><\/pre>\n\n\n\n
The hybrid algorithms (like X25519MLKEM768<\/code>) combine classical and post-quantum key exchange. Even if ML-KEM turns out to have a weakness, the X25519 component still provides security. This is the belt-and-suspenders approach NIST recommends for the transition period.<\/p>\n\n\n\n
Demo: Sign and Verify with ML-DSA-65<\/h3>\n\n\n\n
Generate a quantum-resistant ML-DSA-65 key pair:<\/p>\n\n\n\n
openssl genpkey -algorithm ML-DSA-65 -out \/tmp\/mldsa65.key\nopenssl pkey -in \/tmp\/mldsa65.key -pubout -out \/tmp\/mldsa65.pub<\/code><\/pre>\n\n\n\n
Lattice-based algorithms need bigger keys to achieve quantum resistance. Compare these sizes to an Ed25519 key (which is 64 bytes):<\/p>\n\n\n\n
ls -la \/tmp\/mldsa65.*<\/code><\/pre>\n\n\n\n
The private key is 5.6 KB, the public key 2.7 KB:<\/p>\n\n\n\n
-rw-------  1 root wheel 5604 Mar 25 01:21 \/tmp\/mldsa65.key\n-rw-r--r--  1 root wheel 2726 Mar 25 01:21 \/tmp\/mldsa65.pub<\/code><\/pre>\n\n\n\n
Now sign a message and verify the signature:<\/p>\n\n\n\n
echo 'Hello FreeBSD 15 with post-quantum crypto' > \/tmp\/message.txt\nopenssl pkeyutl -sign -inkey \/tmp\/mldsa65.key -in \/tmp\/message.txt -out \/tmp\/message.sig\nopenssl pkeyutl -verify -pubin -inkey \/tmp\/mldsa65.pub -in \/tmp\/message.txt -sigfile \/tmp\/message.sig<\/code><\/pre>\n\n\n\n
Verification passes:<\/p>\n\n\n\n
Signature Verified Successfully<\/code><\/pre>\n\n\n\n
ML-KEM key generation works the same way:<\/p>\n\n\n\n
openssl genpkey -algorithm ML-KEM-768 -out \/tmp\/mlkem768.key\nopenssl pkey -in \/tmp\/mlkem768.key -pubout -out \/tmp\/mlkem768.pub\nopenssl pkey -in \/tmp\/mlkem768.key -text -noout | head -3<\/code><\/pre>\n\n\n\n
The seed is the secret from which the full ML-KEM keypair is derived:<\/p>\n\n\n\n
ML-KEM-768 Private-Key:\nseed:\n    a1:4a:bb:13:9f:f0:1f:57:cf:42:63:ea:28:a0:d4:<\/code><\/pre>\n\n\n\n
OpenSSH 10: Quantum-Safe by Default<\/h2>\n\n\n\n
This one caught our attention. OpenSSH 10.0p2 in FreeBSD 15.0 changed the default key exchange algorithm to mlkem768x25519-sha256<\/code>, a hybrid post-quantum algorithm. Every SSH connection on a fresh FreeBSD 15 install uses quantum-resistant key exchange without any configuration changes. You do not have to opt in.<\/p>\n\n\n\n
ssh -V<\/code><\/pre>\n\n\n\n
OpenSSH 10 with OpenSSL 3.5.4:<\/p>\n\n\n\n
OpenSSH_10.0p2, OpenSSL 3.5.4 30 Sep 2025<\/code><\/pre>\n\n\n\n
Check the key exchange algorithms sshd will negotiate, in preference order:<\/p>\n\n\n\n
sshd -T | grep kexalgorithms<\/code><\/pre>\n\n\n\n
mlkem768x25519-sha256<\/code> sits at the top of the list, meaning it is the first choice for every new connection:<\/p>\n\n\n\n
kexalgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521<\/code><\/pre>\n\n\n\n
The fallback chain still includes classical algorithms for compatibility with older clients. If the remote end does not support ML-KEM, the connection gracefully falls back to curve25519-sha256<\/code>.<\/p>\n\n\n\n
OpenSSH 10 also adds automatic keystroke timing obfuscation. When you type in an SSH terminal, the timing between keystrokes can leak information about what you are typing. OpenSSH 10 inserts random padding, making keystroke analysis impractical. Enabled by default, no configuration required.<\/p>\n\n\n\n
ZFS 2.4: Block Cloning and Performance<\/h2>\n\n\n\n
FreeBSD 15.0 ships ZFS 2.4.0 with block cloning enabled by default. When you copy a file on ZFS, the filesystem can reference the same data blocks instead of physically duplicating them. Think of it like how ZFS clones work at the dataset level, but applied to individual files through the copy_file_range()<\/code> syscall.<\/p>\n\n\n\n
Check the ZFS version:<\/p>\n\n\n\n
zfs version<\/code><\/pre>\n\n\n\n
Both userland and kernel module report 2.4.0:<\/p>\n\n\n\n
zfs-2.4.0-rc4-FreeBSD_g099f69ff5\nzfs-kmod-2.4.0-rc4-FreeBSD_g099f69ff5<\/code><\/pre>\n\n\n\n
Confirm block cloning is active on your pool:<\/p>\n\n\n\n
zpool get feature@block_cloning zroot<\/code><\/pre>\n\n\n\n
Active and ready:<\/p>\n\n\n\n
NAME   PROPERTY               VALUE   SOURCE\nzroot  feature@block_cloning  active  local<\/code><\/pre>\n\n\n\n
FreeBSD’s cp<\/code> command uses copy_file_range()<\/code> automatically, so block cloning happens transparently. You can monitor how much space it saves:<\/p>\n\n\n\n
zpool get bclonesaved,bcloneused,bcloneratio zroot<\/code><\/pre>\n\n\n\n
On our test system with a few jail clones, the ratio is already 2x:<\/p>\n\n\n\n
NAME   PROPERTY     VALUE  SOURCE\nzroot  bclonesaved  100K   -\nzroot  bcloneused   100K   -\nzroot  bcloneratio  2.00x  -<\/code><\/pre>\n\n\n\n
A bcloneratio<\/code> of 2.00x means ZFS references blocks instead of duplicating them, effectively halving the physical space used for copied data. Particularly useful for jail deployments where multiple jails share similar base files.<\/p>\n\n\n\n
Jail Improvements in FreeBSD 15<\/h2>\n\n\n\n
Jails got two upgrades worth knowing about.<\/p>\n\n\n\n
File Descriptor-Based Jail Operations<\/h3>\n\n\n\n
Previous versions identified jails by integer JIDs. The problem: a jail could be destroyed and recreated with the same JID between the time you looked it up and the time you acted on it. Classic TOCTOU race condition. FreeBSD 15 adds jail_set()<\/code> and jail_get()<\/code> via file descriptors, plus new syscalls jail_attach_jd()<\/code> and jail_remove_jd()<\/code>. Kevent filters can now track jail lifecycle events (creation, changes, removal) without polling.<\/p>\n\n\n\n
Service Jails<\/h3>\n\n\n\n
Service jails confine individual daemons with minimal configuration. Instead of building a full jail with a separate filesystem, a service jail shares the host’s filesystem and isolates only the process. Configure it directly in rc.conf<\/code>:<\/p>\n\n\n\n
sysrc nginx_svcj=\"YES\"<\/code><\/pre>\n\n\n\n
That single line runs Nginx inside a jail the next time the service starts. No separate root filesystem, no jail.conf entry, no epair interfaces. Service jails are ideal for quick isolation of internet-facing daemons.<\/p>\n\n\n\n
For full VNET jail networking with bridge and epair interfaces (where each jail gets its own IP and network stack), see our FreeBSD Jails VNET networking guide<\/a>.<\/p>\n\n\n\n
Nanosecond Precision in date<\/h2>\n\n\n\n
The date<\/code> command now supports the %N<\/code> format specifier for nanosecond precision. Sounds minor, but it matters for log correlation, benchmarking, and any script that needs sub-second timing.<\/p>\n\n\n\n
date '+%Y-%m-%d %H:%M:%S.%N'<\/code><\/pre>\n\n\n\n
Nine digits of sub-second precision:<\/p>\n\n\n\n
2026-03-25 01:21:15.266045940<\/code><\/pre>\n\n\n\n
Unix epoch with nanoseconds:<\/p>\n\n\n\n
date '+%s.%N'<\/code><\/pre>\n\n\n\n
Useful for timing operations in shell scripts:<\/p>\n\n\n\n
1774401675.266958911<\/code><\/pre>\n\n\n\n
On FreeBSD 14 and earlier, %N<\/code> produced a literal N<\/code> character. No error, just wrong output. Worth checking if you have scripts that were already trying to use it.<\/p>\n\n\n\n
Linux Compatibility: Native inotify<\/h2>\n\n\n\n
FreeBSD’s Linux compatibility layer (Linuxulator) now includes a native inotify<\/code> implementation. Linux applications that monitor filesystem changes using inotify can now run on FreeBSD without workarounds or patches. This matters for tools like Node.js file watchers, Docker builds, and any Linux binary that relies on inotifywait<\/code>.<\/p>\n\n\n\n
Load the Linux compatibility module and check the emulated kernel version:<\/p>\n\n\n\n
kldload linux64\nsysctl compat.linux.osrelease<\/code><\/pre>\n\n\n\n
The Linuxulator reports Linux kernel 5.15.0 to applications:<\/p>\n\n\n\n
compat.linux.osrelease: 5.15.0<\/code><\/pre>\n\n\n\n
That version is high enough for most Linux binaries that check for minimum kernel versions.<\/p>\n\n\n\n
USB HID as the Default Input Driver<\/h2>\n\n\n\n
FreeBSD 15 enables usbhid<\/code> by default, replacing the older ukbd<\/code> (keyboard), ums<\/code> (mouse), and uhid<\/code> (generic HID) drivers. The new driver handles keyboards, mice, touchpads, game controllers, digitizers, and compound devices through a single unified stack.<\/p>\n\n\n\n
sysctl hw.usb.usbhid.enable<\/code><\/pre>\n\n\n\n
Enabled by default on fresh installs:<\/p>\n\n\n\n
hw.usb.usbhid.enable: 1<\/code><\/pre>\n\n\n\n
If you have custom configurations referencing ukbd<\/code> or ums<\/code> in \/boot\/loader.conf<\/code>, those still work but are redundant on 15.0.<\/p>\n\n\n\n
32-Bit Platform Retirement<\/h2>\n\n\n\n
FreeBSD 15 drops i386, armv6, and 32-bit PowerPC as hardware platforms. The armv7<\/code> platform remains as the last supported 32-bit architecture. The practical impact for most people: none. 32-bit application support continues on amd64 through the compatibility layer:<\/p>\n\n\n\n
sysctl kern.features.compat_freebsd_32bit<\/code><\/pre>\n\n\n\n
Still available:<\/p>\n\n\n\n
kern.features.compat_freebsd_32bit: 1<\/code><\/pre>\n\n\n\n
Existing 32-bit applications and libraries still run. What changed is that FreeBSD no longer builds or ships installation media for 32-bit only hardware. If you are still running i386 servers, FreeBSD 14 is your last stop.<\/p>\n\n\n\n
Other Notable Changes<\/h2>\n\n\n\n
Kerberos Migration to MIT<\/h3>\n\n\n\n
FreeBSD 15 ships MIT Kerberos 1.22.1, replacing the Heimdal 1.5.2 implementation that FreeBSD has used for decades. MIT Kerberos has better interoperability with Active Directory and Linux environments. Heimdal will be fully removed in FreeBSD 16, so start migrating any Heimdal-specific configurations now.<\/p>\n\n\n\n
NVMe over Fabrics<\/h3>\n\n\n\n
NVMe-oF support via TCP transport is new in 15.0. Remote NVMe controllers can be accessed as if they were locally attached, with export support through the CAM target layer. This enables disaggregated storage architectures where compute and storage nodes communicate over standard Ethernet.<\/p>\n\n\n\n
Networking Improvements<\/h3>\n\n\n\n