Set custom preferences for Brave browser in disposable qube

Community Guides
,
1

The initial_preferences json file can be used to configure the preferences that will be used by default in newly created profiles.
The Brave browser is reading initial_preferences from /opt/brave.com/brave/initial_preferences.
The Brave browser profile preferences are stored in ~/.config/BraveSoftware/Brave-Browser/Default/Preferences json file. You can use it as as a base and modify it to your needs for its use as initial_preferences file.
You can run Brave browser in some qube, configure all the settings that you want, convert the Preferences json file to a readable format using this command:

python3 -m json.tool ~/.config/BraveSoftware/Brave-Browser/Default/Preferences > ~/initial_preferences

Then edit ~/initial_preferences file and remove all unnecessary settings from this file (timestamps, UUIDs, default settings etc) and then use this file for your disposables.
You can check if the resulting json file is valid by running this command:

python3 -m json.tool ~/initial_preferences > /dev/null

If you want to check which option in JSON preferences file correspond to which option in GUI then you can do this:
Switch option on/off.
Save config:

python3 -m json.tool ~/.config/BraveSoftware/Brave-Browser/Default/Preferences > pref1

Switch option off/on.
Save config:

python3 -m json.tool ~/.config/BraveSoftware/Brave-Browser/Default/Preferences > pref2

Check differences:

diff -u5 -I '"last_modified"' -I '"time"' -I '"session_last_active_time"' -I '"last_update_time"' -I '"left"' -I '"right"' -I '"last_engagement_time"' -I '"lastEngagementTime"' -I '"pointsAddedToday"' -I '"rawScore"' -I '"tab_count"' pref1 pref2 | less

Once you’ve created your initial_preferences file you can place it in disposable template:
Open terminal of disposable template for Brave browser.
Copy the initial_preferences file to the disposable template.
Configure bind-dirs for initial_preferences file and copy the initial_preferences file to the right location by running these commands:

sudo mkdir -p /rw/config/qubes-bind-dirs.d
cat << 'EOF' | sudo tee -a /rw/config/qubes-bind-dirs.d/50_brave.conf > /dev/null
binds+=( '/opt/brave.com/brave/initial_preferences' )
EOF
sudo mkdir -p /rw/bind-dirs/opt/brave.com/brave
sudo cp /home/user/QubesIncoming/*/initial_preferences /rw/bind-dirs/opt/brave.com/brave/
To set it up in the template instead of a disposable template use these commands in the template instead: 
sudo mkdir -p /opt/brave.com/brave
sudo cp /home/user/QubesIncoming/*/initial_preferences /opt/brave.com/brave/

The same should work for any Chromium browser, but the initial_preferences file location and browser-specific preferences will differ.

Example initial_preferences config based on this recommended Brave configuration:

initial_preferences 
{
    "brave": {
        // Hide Brave Rewards button
        "brave_ads": {
            "should_allow_ads_subdivision_targeting": false
        },
        // Select Auto-redirect AMP pages
        "de_amp": {
            "enabled": true
        },
        // Select Auto-redirect tracking URLs
        "debounce": {
            "enabled": true
        },
        "enable_window_closing_confirm": true,
        // Uncheck all social media components
        "fb_embed_default": false,
        // Uncheck all social media components
        "linkedin_embed_default": false,
        // Uncheck Use Google services for push messaging
        "gcm": {
            "channel_status": false
        },
        "new_tab_page": {
            "hide_all_widgets": true,
            "show_background_image": false,
            "show_brave_news": false,
            "show_rewards": false,
            "show_stats": false,
            "show_together": false
        },
        // Select Prevent sites from fingerprinting me based on my language preferences
        "reduce_language": true,
        // Hide Brave Rewards button
        "rewards": {
            "badge_text": "",
            "show_brave_rewards_button_in_location_bar": false
        },
        "today": {
            "should_show_toolbar_button": false
        },
        // Uncheck all social media components
        "twitter_embed_default": false,
        "wallet": {
            // Select Extensions (no fallback) under Default Solana wallet
            "default_solana_wallet": 1,
            // Select Extensions (no fallback) under Default Ethereum wallet
            "default_wallet2": 1,
            "show_wallet_icon_on_toolbar": false
        },
        // Uncheck all built-in extensions you don't use
        "webtorrent_enabled": false
    },
    "browser": {
        "custom_chrome_frame": false,
        "has_seen_welcome_page": true
    },
    // Uncheck all built-in extensions you don't use
    "media_router": {
        "enable_media_router": false
    },
    "ntp": {
        "custom_background_inspiration": false,
        "custom_background_local_to_device": false,
        "shortcust_visible": false
    },
    // Select Aggressive under Trackers & ads blocking
    "profile": {
        "content_settings": {
            "exceptions": {
                "cosmeticFiltering": {
                    "*,*": {
                        "setting": 2
                    },
                    "*,https://firstparty": {
                        "setting": 2
                    }
                },
                // Check Block fingerprinting
                "fingerprintingV2": {
                    "*,*": {
                        "setting": 3
                    }
                },
                "shieldsAds": {
                    "*,*": {
                        "setting": 2
                    }
                },
                "trackers": {
                    "*,*": {
                        "setting": 2
                    }
                }
            }
        },
        // Select Block third-party cookies
        "cookie_controls_mode": 1,
        "default_content_setting_values": {
            // Check Forget me when I close this site 
            "brave_remember_1p_storage": 2,
            // Select Delete data sites have saved to your device when you close all windows under Sites and Shields Settings → Content → Additional content settings → On-device site data.
            "cookies": 4,
            // Select Strict under Upgrade connections to HTTPS
            "httpsUpgrades": 2,
            "javascript_jit": 2
        }
    },
    // Select Automatically remove permissions from unused sites under Sites and Shields Settings
    "safety_hub": {
        "unused_site_permissions_revocation": {
            "enabled": false
        }
    },
    // Disable Show search suggestions
    "search": {
        "suggest_enabled": false
    },
    // Select Disable non-proxied UDP under WebRTC IP Handling Policy
    "webrtc": {
        "ip_handling_policy": "disable_non_proxied_udp"
    }
}

Some settings can’t be changed using initial_preferences and you need to use policy settings:

sudo mkdir -p /rw/config/qubes-bind-dirs.d
cat << 'EOF' | sudo tee -a /rw/config/qubes-bind-dirs.d/50_brave.conf > /dev/null
binds+=( '/etc/brave/policies/managed/GroupPolicy.json' )
EOF
sudo mkdir -p /rw/bind-dirs/etc/brave/policies/managed/
cat << 'EOF' | sudo tee /rw/bind-dirs/etc/brave/policies/managed/GroupPolicy.json > /dev/null
{
    // Disable Tor, use Tor Browser instead
    "TorDisabled": true,
    // Uncheck Automatically send diagnostic reports
    "MetricsReportingEnabled": false
}
EOF
To set it up in the template instead of a disposable template use these commands in the template instead: 
sudo mkdir -p /etc/brave/policies/managed/
cat << 'EOF' | sudo tee /etc/brave/policies/managed/GroupPolicy.json > /dev/null
{
    // Disable Tor, use Tor Browser instead
    "TorDisabled": true,
    // Uncheck Automatically send diagnostic reports
    "MetricsReportingEnabled": false
}
EOF

But these options:

  • Uncheck Allow privacy-preserving product analytics (P3A)
  • Uncheck Automatically send daily usage ping to Brave
  • Uncheck Continue running apps when Brave is closed to disable background apps

Can’t be changed using initial_preferences or policy settings so you’ll need to change them manually.
They are stored in ~/.config/BraveSoftware/Brave-Browser/Local State file so you can create this file in the disposable template’s user home directory:

cat << 'EOF' | tee ~/.config/BraveSoftware/Brave-Browser/Local\ State > /dev/null
{
    // Uncheck Continue running apps when Brave is closed to disable background apps
    "background_mode": {
        "enabled": false
    },
    // Disable hardware acceleration
    "hardware_acceleration_mode": {
        "enabled": false
    },
    // Disable Tor, use Tor Browser instead
    "tor": {
        "tor_disabled": true
    },
    "brave": {
        // Uncheck Allow privacy-preserving product analytics (P3A)
        "p3a": {
            "enabled": false
        },
        // Uncheck Automatically send daily usage ping to Brave
        "stats": {
            "reporting_enabled": false
        }
    },
    // Uncheck Automatically send diagnostic reports
    "user_experience_metrics": {
        "reporting_enabled": false
    }
}
EOF
To set it up in the template instead of a disposable template use these commands in the template instead:

They are stored in ~/.config/BraveSoftware/Brave-Browser/Local State file so you can place this file in the /etc/skel directory in the template so it’ll be copied to the newly created app qubes:

sudo mkdir -p /etc/skel/.config/BraveSoftware/Brave-Browser/
cat << 'EOF' | sudo tee /etc/skel/.config/BraveSoftware/Brave-Browser/Local\ State > /dev/null
{
    // Uncheck Continue running apps when Brave is closed to disable background apps
    "background_mode": {
        "enabled": false
    },
    // Disable hardware acceleration
    "hardware_acceleration_mode": {
        "enabled": false
    },
    // Disable Tor, use Tor Browser instead
    "tor": {
        "tor_disabled": true
    },
    "brave": {
        // Uncheck Allow privacy-preserving product analytics (P3A)
        "p3a": {
            "enabled": false
        },
        // Uncheck Automatically send daily usage ping to Brave
        "stats": {
            "reporting_enabled": false
        }
    },
    // Uncheck Automatically send diagnostic reports
    "user_experience_metrics": {
        "reporting_enabled": false
    }
}
EOF
3 Likes
2

Thanks for the very simple and effective guide. Is there a similar mechanism available in Brave to populate the 'Local State' file (~/.config/BraveSoftware/Brave-Browser/) with initial preferences?

Disabling the following three settings is suggested by the guide linked above:

Privacy & Security > Data collection > analytics (p3a) & daily usage ping Brave (stats)
System > continue running apps

But simply adding the relevant JSON entries to intitial_preferences will not propogate to the 'Local State' file.

JSON entries for Local State 
 {
	  "background_mode": {
	    "enabled": false
	  },
	  
        "brave": {
             "p3a": {
                "enabled": false
            },
            "stats": {
                "reporting_enabled": false
            }
}

Side note, additional entries beyond these three could be set automatically as well (see Brave Disposable).

3

You can disable Automatically send diagnostic reports by using chromium policy in template:

sudo mkdir -p /etc/brave/policies/managed/
cat << 'EOF' | sudo tee -a /etc/brave/policies/managed/GroupPolicy.json /dev/null
{
    "MetricsReportingEnabled": false
}
EOF

But it seems that it’s not possible currently to disable Allow privacy-preserving product analytics (P3A) and Automatically send daily usage ping to Brave:

1 Like
4

I’ve updated the guide to add the up to date settings and more details.

5

On second thought you can do this:

6

Will this work from Template to App VM as disposable template to disposable Brave browser?

7

Only for the newly created app qubes.
If you change /etc/skel/.config/BraveSoftware/Brave-Browser/Local\ State in the template then ~/.config/BraveSoftware/Brave-Browser/Local\ State file won’t be changed in already existing app qubes:

8

Brilliant, that worked. Analytics and daily pings now disabled by default in disposable Brave browser.

9

What would be the difference to just run Brave in offline dvm-template, set it as wished, and then run Brave in dispvm?
Also, is there a solution --password-store=basic switch to survive Brave update?

10

Each would be disposable and have the same settings. Starting Brave in an appVM and then using that as a disposable template would begin with the same Local State data for each disposable session. Whereas this tutorial allows for one to have a disposable browser that is “brand new” each time, so more difficult to profile and track.

11

“Brand new”, but customized? I’m missing something obviously, because, and I apologize, didn’t get into details because it looks like the purpose of this is to customize Brave, which is then traceable too…

12

This setup will not match the Tor or Mullvad browsers on traceability. It will give a more private option for cases where Chrome is the only workable option. If traceability matters and only Chrome works, then stock Brave in a disposable may make more sense.

13

On first start of Brave in disposable template it’ll create an unique profile with UUIDs/timestamps/etc so when you start disposables based on this disposable template they’ll all have the same profile with the same UUIDs/timestamps/etc.
But if you configure the Brave as described in the guide and won’t start the Brave in the disposable template then when you start Brave in the disposables it’ll create new profile each time with new UUIDs/timestamps/etc so all disposables will be unique (except for having the same settings that you set up in the files described in the guide).

14

Thanks for clarifying. Please correct me if I’m wrong, because I’m genuinely interested in this: if I set Brave via files suggested above, and set it the same via run it in a dvm-template, that customization is unique regardless of happened in the same profile, or always in a new profile?

For the sake of argument, if I set as default font some crazy font only I use in the whole world, will that “craziness” lead to me regardless of how many profiles I run?

I’m asking because as I see it any customization profiles me. Especially when Brave. For such things I’m using Librewolf, stock, which is anyway harder to customize, while less needed to be customized actually…

EDIT: When I customize Brave, I actually use that customization to confirm my identity. For example, my bank will be sure that that’s exactly I am the one who logged in on my e banking. So I use customization for the totally opposite purpose, not to anonymyze myself (via clear net above all?!).

15

Additional message because of those who reads via email.

To profile me as less as possible, I actually create as much as possible profiles for the same sites.

16

That would be my assumption. If you follow this guide, without any additional customizations, then wrt Brave you would only be unique up to the number of people employing the privacyguides setup. I wouldn’t count on this alone for privacy though.

The techniques described in this guide allow for the possibility of creating the same identity profiling settings but set up as a disposable. I use disposables with unique identity for my bank and other identity dependent services, but create these by running Brave in the disposable template first, since the profile is useful for creating a consistent identity.

1 Like
17

Exactly (what I wrote already in my first post here)! So, since I run this customized profile in a disposable, and only accessing bank in that instance, with that profile, and no other site, no online adversary ( I don’t use wifi) can access my customization, thus being unable to spoof/phish/whatever to convince the bank that it was me actually trying to access it.

So I rather see customization as an additional layer of security (instead layer of privacy/anonymity) in this context, which is possible only in Qubes, thanks to compartmentalization it provides.

I’ve seen too many people on this forum not thinking through “security through compartmentalization” Qubes’ tenet, so hopefully this topic will inspire them to achieve it via customization (too) one way or another.

18

In case someone can answer this, and it was overlooked because of tons of my following messages.

19

Yes, the customization is the same regardless if you’ve done it manually or using config files.
But I don’t know if there are some unique identifiers created during profile creation that could be used to make you less unique when using the same profile compared to using newly created profile on each start.

Yes.

I don’t think that e.g. your bank is detecting that it’s you just by looking at your customization settings. It should be checking your cookies but you need to login in your bank account in your disposable template for your cookies to persist. Also cookies are expiring so you need to periodically login in the bank account in your disposable template to refresh them.

1 Like
20

Now even this doesn’t work anymore, at least for me. both brave-browser.desktop (lical/share/app… and usr/share/app… ) contain the swith but

qvm-run -q -a --service --dispvm=f40-min-bravebrowser-dvm-tmplt – qubes.StartApp+brave-browser

produces Unlock Keyring dialog box… Insane…