You cannot write:
deploy:
api_key:
secure: $DEPLOYMENT_KEY
Decryption happens in an early stage of the Travis build process; the encrypted value will be passed on to the app which compiles the bash script to build. Since the part that is responsible for decrypting secrets doesn’t know anything about $DEPLOYMENT_KEY, this configuration will ultimately fail.
To achieve what you are after, you can use the repository settings to define secrets.