@Michael Lu You can use Azure Disk Encryption, it will still use dm-encrypt but it will store the key in an Azure Key Vault, it would be the Azure recommended solution.
Azure Disk Encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. It uses the DM-Crypt feature of Linux to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets.
You can refer to this for more information.
The Azure platform needs access to the encryption keys or secrets in your key vault to make them available to the VM for booting and decrypting the volumes.
If you did not enable your key vault for disk encryption, deployment, or template deployment at the time of creation (as demonstrated in the previous step), you must update its advanced access policies.
You can refer to this article to Create and configure a key vault for Azure Disk Encryption.
Hope it helps!!!
Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics