Chef allows you to define the state your servers (local or cloud) should be in and enforces it.
$ knife data bag list
Chef/knife (encrypted data bag)
Chef/knife with path to secret file
Be aware of what you put into chef recipes
Info on securing chef: https://learn.chef.io/skills/be-a-secure-chef/