As you know already, no matter what you do, if the key is available to the application, it will certainly be available to malicious code that has gained root access on the server, and most probably to code that has gained access to the UID under which the application runs too. It’s just a question of how easy it is.

Buy since your application is not long-running, it sounds like you will have to accept a level of risk beyond that.

Your idea is to use a daemon of some sort which keeps the keys in RAM and can be queried by the application. That works, but you probably already realise that if your application can query it, then malicious code can query it too. If you choose that option anyway, consider using memcached (why reinvent the wheel?).

The only other option I can think of would be to write an Apache module (in C) that loads the secret at system startup time (after which the persistent copy of the secret is unmounted) and a PHP extension (in C) to get the secret from the Apache module that lives in the same process. That assumes you’re using PHP as an Apache module, not as an external process. But to me this sounds like overkill, because it is quite complex and it doesn’t actually remove the risk.

Have you considered what to do about swap space? You can use mlock or similar (in C) to keep the secret from being written to swap if it’s in a confined location, but it would be difficult to protect it in this way once it’s been handed over to the PHP interpreter. So you had better run the system without swap.

Consider a design change that will confine the secret to a single location in a long-running daemon (probably not written in PHP) and have the PHP application delegate the cryptographic functions that need access to the secret to this daemon.