@Taskal Samal You cannot encrypt/decrypt the subscription keys as to authenticate the APIM API's it needs the subscription key without encryption as it is the first step to authenticate the request.
Alternatively, you can have a middle services/proxy that make the front end call and a middle service/proxy that make the call to the APIM using the plain text subscription key. There is already another discussion on the same in this thread.
You can also refer to Azure security baseline for API Management document for more details on how you can secure your cloud solutions on Azure and security controls defined by the Azure Security Benchmark and the related guidance applicable to API Management.