If you are not using Chef-Vault, then you are really missing out on either being secure in the storage of secrets, or by not being to automate more things.
Things you can put into Chef-Vault include things like SSH keys, Big IP passwords, IIS Application Pool Identities, licenses, etc. Even if you are not using these vault items in your cookbooks, the underlying operating system can access the encrypted values to perform other functions.
One interesting feature that was recently added to Chef-Vault is that it now stores the passed search query. If you look at the databag_keys.json file, you'll see a key/value pair called "search_query". Every time you update your databag with a new search query, this value gets updated.
I like choosing a search value that describes the role of the server. This can be the runlist, or an actual Chef role.
With the new Refresh command that was recently merged, we can now very quickly and easily re-run the search and add any new nodes. With some automation behind Chef-Vault, say from your valuestream, you can give access to new servers with this quick command.