{"id":168250,"date":"2026-06-01T13:54:01","date_gmt":"2026-06-01T10:54:01","guid":{"rendered":"https:\/\/computingforgeeks.com\/?p=168250"},"modified":"2026-06-01T13:54:01","modified_gmt":"2026-06-01T10:54:01","slug":"install-trivalent-hardened-browser-fedora","status":"publish","type":"post","link":"https:\/\/computingforgeeks.com\/install-trivalent-hardened-browser-fedora\/","title":{"rendered":"Install Trivalent Hardened Browser on Fedora"},"content":{"rendered":"<p>Most &#8220;secure browser&#8221; guides hand you a privacy extension and call it a day. Trivalent takes a different route. It is a Chromium build for desktop Linux that carries the hardening patches from <a href=\"https:\/\/github.com\/GrapheneOS\/Vanadium\" target=\"_blank\" rel=\"noreferrer noopener\">Vanadium<\/a>, the browser GrapheneOS ships on hardened Android, and ports them to the desktop. The result is a Chromium that flips risky defaults to opt-in, strips telemetry, and turns on content filtering before you touch a single setting.<\/p>\n\n<p>This guide covers how to install Trivalent on a normal Fedora 44 Workstation, shows the one install detail that trips up nearly every other guide online, and walks through the hardening toggles that ship disabled so you know what you are turning on. Trivalent comes from the <a href=\"https:\/\/github.com\/secureblue\/secureblue\" target=\"_blank\" rel=\"noreferrer noopener\">secureblue<\/a> project and is built for Fedora, so if you have already set up <a href=\"https:\/\/computingforgeeks.com\/install-google-chrome-on-centos-and-fedora\/\">stock Google Chrome<\/a> or <a href=\"https:\/\/computingforgeeks.com\/install-brave-web-browser-on-fedora\/\">Brave<\/a> on Fedora, this slots in the same way, from the secureblue RPM repository.<\/p>\n\n<p><em>Verified working: <strong>June 2026<\/strong> on Fedora 44 Workstation (kernel 7.0.8), Trivalent 148.0.7778.215 from the secureblue repo.<\/em><\/p>\n\n<h2>What Trivalent actually changes<\/h2>\n\n<p>Trivalent is a security browser, not a privacy browser. That distinction matters and the project is blunt about it: anything that trades security for &#8220;privacy&#8221; is explicitly out of scope, which is why it refuses to re-enable the old Manifest V2 extension API. What you get instead is a Chromium with a smaller attack surface and saner defaults.<\/p>\n\n<p>The concrete changes worth knowing before you install:<\/p>\n\n<ul>\n<li>Vanadium desktop hardening patches applied to the Chromium engine<\/li>\n<li>Content filtering on by default using Chromium&#8217;s built-in subresource filter, no extension required<\/li>\n<li>Secondary features like the password manager and search suggestions made opt-in instead of opt-out<\/li>\n<li>Opt-in metrics and data collection disabled at the source<\/li>\n<li>Extra security and privacy controls added to <code>chrome:\/\/settings\/security<\/code> that stock Chromium does not expose<\/li>\n<\/ul>\n\n<p>None of this needs configuration to take effect. You install it, and the hardened defaults are already live.<\/p>\n\n<h2>Prerequisites<\/h2>\n\n<p>This guide targets the RPM side of the house. Trivalent is packaged for Fedora only.<\/p>\n\n<ul>\n<li>Fedora 42, 43, or 44 (Workstation, Silverblue, or a spin). Tested here on Fedora 44 Workstation<\/li>\n<li>x86_64 or aarch64 architecture, both are built<\/li>\n<li>A user account with <code>sudo<\/code> privileges<\/li>\n<\/ul>\n\n<p>One thing to set expectations early: there is no Debian, Ubuntu, or Kali package, and no <a href=\"https:\/\/computingforgeeks.com\/install-flatpak-flathub-fedora\/\">Flatpak build<\/a> yet. There is also no EPEL or RHEL build, so Rocky Linux and AlmaLinux are out for now. If you are not on Fedora, your closest hardened alternative is running <a href=\"https:\/\/computingforgeeks.com\/installing-chromium-web-browser-on-linux\/\">plain Chromium<\/a> with your own policy, because Trivalent will not install outside the Fedora family.<\/p>\n\n<h2>Add the secureblue repository<\/h2>\n\n<p>This is where almost every other guide gets it wrong. Search around and you will find advice to run <code>dnf copr enable secureblue\/trivalent<\/code> followed by <code>dnf install trivalent-chromium<\/code>. That COPR exists, but it only holds build inputs (the Chromium source tarball and the subresource filter lists). There is no browser binary in it. The actual package lives in the secureblue RPM repository.<\/p>\n\n<p>Drop the repo file into place and import the signing key:<\/p>\n\n\n<pre class=\"wp-block-code code\"><code>sudo curl -fsSL https:\/\/repo.secureblue.dev\/secureblue.repo -o \/etc\/yum.repos.d\/secureblue.repo\nsudo rpm --import https:\/\/repo.secureblue.dev\/secureblue.gpg<\/code><\/pre>\n\n\n<p>The repository is a flat repo signed by the secureblue maintainer key. Confirm the browser package is now visible:<\/p>\n\n\n<pre class=\"wp-block-code code\"><code>dnf list --available trivalent<\/code><\/pre>\n\n\n<p>You should see the <code>trivalent<\/code> package resolve from the secureblue repo:<\/p>\n\n\n<pre class=\"wp-block-code code\"><code>Available packages\ntrivalent.x86_64    148.0.7778.215-444977    secureblue<\/code><\/pre>\n\n\n<p>With the package resolving from the secureblue repo, the browser itself is one command away.<\/p>\n\n<h2>Install Trivalent<\/h2>\n\n<p>With the repo wired up, the install is a single command. The first run will ask you to accept the secureblue GPG key if you skipped the manual import above.<\/p>\n\n\n<pre class=\"wp-block-code code\"><code>sudo dnf install trivalent<\/code><\/pre>\n\n\n<p>The download is sizeable because Trivalent bundles its own Chromium runtime rather than leaning on system libraries. Once it finishes, confirm the version that landed:<\/p>\n\n\n<pre class=\"wp-block-code code\"><code>rpm -q trivalent<\/code><\/pre>\n\n\n<p>The query returns the exact build, so you can match it against the project&#8217;s <a href=\"https:\/\/github.com\/secureblue\/Trivalent\/releases\" target=\"_blank\" rel=\"noreferrer noopener\">GitHub releases<\/a>:<\/p>\n\n\n<pre class=\"wp-block-code code\"><code>trivalent-148.0.7778.215-444977.x86_64<\/code><\/pre>\n\n\n<p>Here is the full sequence captured on the Fedora 44 test box, from adding the repository through to the version check:<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1800\" height=\"940\" src=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-install-verify-fedora.png\" alt=\"Trivalent 148 install and version check in a Fedora 44 terminal\" class=\"wp-image-168245\" title=\"\" srcset=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-install-verify-fedora.png 1800w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-install-verify-fedora-300x157.png 300w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-install-verify-fedora-1024x535.png 1024w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-install-verify-fedora-768x401.png 768w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-install-verify-fedora-1536x802.png 1536w\" sizes=\"auto, (max-width: 1800px) 100vw, 1800px\" \/><\/figure>\n\n\n<p>If you run KDE Plasma or another Qt desktop and want native dialogs and theming, add the optional Qt 6 integration package:<\/p>\n\n\n<pre class=\"wp-block-code code\"><code>sudo dnf install trivalent-qt6-ui<\/code><\/pre>\n\n\n<p>On GNOME the base package is all you need. Launch it from the Activities overview, or from a terminal with the <code>trivalent<\/code> command.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1920\" height=\"1080\" src=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-browser-running-fedora.png\" alt=\"Trivalent hardened Chromium browser running on Fedora showing the secureblue website over HTTPS\" class=\"wp-image-168247\" title=\"\" srcset=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-browser-running-fedora.png 1920w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-browser-running-fedora-300x169.png 300w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-browser-running-fedora-1024x576.png 1024w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-browser-running-fedora-768x432.png 768w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-browser-running-fedora-1536x864.png 1536w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><\/figure>\n\n\n<p>On the surface it is an ordinary Chromium browser. What sets it apart sits one settings page deep.<\/p>\n\n<h2>Hardening controls worth knowing about<\/h2>\n\n<p>Open <code>chrome:\/\/settings\/security<\/code> and scroll to the <strong>Hardening<\/strong> section. That block does not exist in upstream Chromium, and it is where Trivalent&#8217;s posture becomes visible. Two defaults stand out.<\/p>\n\n<p><strong>Block 3D APIs<\/strong> is on by default. It blocks web-facing access to WebGL and the GPU, which is a frequent source of both browser exploits and fingerprinting. Just above it, <strong>JavaScript optimization<\/strong> ships off by default, and Trivalent spells out the trade in the description: leaving it off makes the V8 engine more resistant to attacks at a small cost to speed on heavy sites. Higher up the same page, secure DNS and &#8220;Always use secure connections&#8221; are both enabled, with the warning set to cover private sites as well as public ones.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1920\" height=\"1080\" src=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-settings-security.png\" alt=\"Trivalent chrome settings security Hardening section with Block 3D APIs enabled on Fedora\" class=\"wp-image-168246\" title=\"\" srcset=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-settings-security.png 1920w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-settings-security-300x169.png 300w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-settings-security-1024x576.png 1024w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-settings-security-768x432.png 768w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-settings-security-1536x864.png 1536w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><\/figure>\n\n\n<p>A few toggles ship disabled because they can break sites. The <strong>Network Service Sandbox<\/strong> tightens isolation around the network process but can clear cookies on exit on some setups, so it stays off until you opt in. There is also a Website Dark Mode preference under <code>chrome:\/\/settings\/appearance<\/code> for forcing dark rendering on pages that do not offer it.<\/p>\n\n<p>A second layer of hardening lives behind <code>chrome:\/\/flags<\/code>. These are off by default because they can cause breakage, but they are worth enabling if you want the strictest posture:<\/p>\n\n<ul>\n<li><code>#show-punycode-domains<\/code> renders internationalized domains as raw punycode, which kills a common phishing trick where a lookalike Unicode character impersonates a real domain<\/li>\n<li><code>#clear-cross-origin-referrers<\/code> strips the referrer on cross-origin requests so sites learn less about where you came from<\/li>\n<\/ul>\n\n<p>The reverse case is covered too. Trivalent&#8217;s default pop-up blocker is aggressive, and if it gets in your way you can loosen it with <code>#strict-popup-blocking<\/code> rather than fighting individual sites.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1920\" height=\"1080\" src=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-flags-hardening.png\" alt=\"Trivalent chrome flags show punycode for IDN domains hardening flag on Fedora\" class=\"wp-image-168248\" title=\"\" srcset=\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-flags-hardening.png 1920w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-flags-hardening-300x169.png 300w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-flags-hardening-1024x576.png 1024w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-flags-hardening-768x432.png 768w, https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-trivalent-flags-hardening-1536x864.png 1536w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><\/figure>\n\n\n<p>The built-in content filter is the piece you do not have to configure at all. It uses Chromium&#8217;s internal subresource filter with lists maintained by the <a href=\"https:\/\/github.com\/secureblue\/trivalent-subresource-filter\" target=\"_blank\" rel=\"noreferrer noopener\">trivalent-subresource-filter<\/a> project, so ads and trackers are blocked engine-side without a third-party extension that could read your browsing. If you have been bolting privacy extensions onto Brave or Chrome, that responsibility moves into the browser itself here.<\/p>\n\n<h2>Trivalent on Fedora Silverblue and atomic spins<\/h2>\n\n<p>Trivalent was built for secureblue, which is an atomic Fedora system, so the atomic path is a first-class option. On Silverblue, Kinoite, or any rpm-ostree based spin, the package layers in instead of installing through <code>dnf<\/code>. Add the same repo file, then layer the package:<\/p>\n\n\n<pre class=\"wp-block-code code\"><code>sudo rpm-ostree install trivalent<\/code><\/pre>\n\n\n<p>Reboot to apply the new deployment, and Trivalent shows up in your app grid like any other layered package. Everything in the hardening section applies identically once it is running.<\/p>\n\n<h2>Keeping Trivalent updated<\/h2>\n\n<p>Trivalent tracks Chromium closely, and security fixes land fast, so updating promptly is the whole point of running a hardened browser. On a standard Fedora install it upgrades with the rest of your system:<\/p>\n\n\n<pre class=\"wp-block-code code\"><code>sudo dnf upgrade --refresh trivalent<\/code><\/pre>\n\n\n<p>On an atomic spin it rides along with your next <code>rpm-ostree upgrade<\/code>. Because every GitHub release maps to an RPM in the repo, the version you see with <code>rpm -q trivalent<\/code> always lines up with an upstream tag, which makes it easy to confirm you are on a build that includes the latest Chromium security patches.<\/p>\n\n<p>That is the trade Trivalent asks you to make. You give up Google sync, proprietary codecs, and a couple of conveniences that are now opt-in, and in return you get a Chromium that was hardened before you opened it. Set it up alongside your other <a href=\"https:\/\/computingforgeeks.com\/post-install-fedora-44-workstation\/\">first-day Fedora 44 tasks<\/a>, and on a daily driver paired with a properly <a href=\"https:\/\/computingforgeeks.com\/security-hardening-fedora\/\">hardened base system<\/a>, it is one of the few browsers where the secure choice is also the default one.<\/p>","protected":false},"excerpt":{"rendered":"<p>Most &#8220;secure browser&#8221; guides hand you a privacy extension and call it a day. Trivalent takes a different route. It is a Chromium build for desktop Linux that carries the hardening patches from Vanadium, the browser GrapheneOS ships on hardened Android, and ports them to the desktop. The result is a Chromium that flips risky &#8230; <a title=\"Install Trivalent Hardened Browser on Fedora\" class=\"read-more\" href=\"https:\/\/computingforgeeks.com\/install-trivalent-hardened-browser-fedora\/\" aria-label=\"Read more about Install Trivalent Hardened Browser on Fedora\">Read more<\/a><\/p>\n","protected":false},"author":3,"featured_media":168249,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29,299,50],"tags":[1072,282,205],"cfg_series":[],"class_list":["post-168250","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-fedora","category-how-to","category-linux-tutorials","tag-browser","tag-linux","tag-security"],"_links":{"self":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/168250","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/comments?post=168250"}],"version-history":[{"count":1,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/168250\/revisions"}],"predecessor-version":[{"id":168251,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/168250\/revisions\/168251"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media\/168249"}],"wp:attachment":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media?parent=168250"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/categories?post=168250"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/tags?post=168250"},{"taxonomy":"cfg_series","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/cfg_series?post=168250"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}