Tutanota first use the user password to generate an AES key using BCrypt, that AES key is then used to encrypt the private key. The encrypted private key and hashed AES key is then sent to the server, hence the server does not store and know the private key and the hashed AES key is used to authenticate the user. It uses SHA256 for hashing, it’s safe because the hashing algorithm is one way only and not reversible, meaning you can convert the hash to the password but only the other way around the password can generate the hash, so even the server is compromised it doesn’t contain your password.